Use an OAuth 2.0 access token for Domain-Wide Delegation

google-github-actions · Feb 2, 2024 · 6a18503 · 6a18503
1 parent 5a50e58
commit 6a18503
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/src/client/workload_identity_federation.ts b/src/client/workload_identity_federation.ts
@@ -80,7 +80,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
     const logger = this._logger.withNamespace(`getToken`);
 
     const now = new Date().getTime();
-    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt > 60_000) {
+    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt < 30_000) {
       logger.debug(`Using cached token`, {
         now: now,
         cachedAt: this.#cachedAt,
@@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
     const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;
 
     const headers = {
-      Authorization: `Bearer ${this.getToken()}`,
+      Authorization: `Bearer ${await this.getToken()}`,
     };
 
     const body = {

diff --git a/src/main.ts b/src/main.ts
@@ -282,11 +282,14 @@ async function main(logger: Logger) {
         );
       }
 
+      let accessToken: string;
+
       // If a subject was provided, use the traditional OAuth 2.0 flow to
       // perform Domain-Wide Delegation. Otherwise, use the modern IAM
       // Credentials endpoints.
-      let accessToken;
       if (accessTokenSubject) {
+        logger.debug(`Using Domain-Wide Delegation flow`);
+
         if (accessTokenLifetime > 3600) {
           logger.info(
             `An access token subject was specified, triggering Domain-Wide ` +
@@ -302,9 +305,9 @@ async function main(logger: Logger) {
           accessTokenLifetime,
         );
         const signedJWT = await client.signJWT(unsignedJWT);
-
         accessToken = await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
       } else {
+        logger.debug(`Using normal access token flow`);
         accessToken = await iamCredentialsClient.generateAccessToken({
           serviceAccount,
           delegates,