/// <summary>
/// Signs JWT token using the private key and returns the serialized assertion.
/// </summary>
/// <param name="payload">the JWT payload to sign.</param>
private string CreateAssertionFromPayload(JsonWebSignature.Payload payload)
{
string serializedHeader = CreateSerializedHeader();
string serializedPayload = NewtonsoftJsonSerializer.Instance.Serialize(payload);
var assertion = new StringBuilder();
assertion.Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedHeader))
.Append('.')
.Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedPayload));
var signature = CreateSignature(Encoding.ASCII.GetBytes(assertion.ToString()));
assertion.Append('.').Append(TokenEncodingHelpers.UrlSafeEncode(signature));
return(assertion.ToString());
}
public async Task JwtScopes_UseAud(bool useJwtAccessWithScopes)
{
var clock = new MockClock(new DateTime(2016, 1, 1, 0, 0, 0, DateTimeKind.Utc));
var initializer = new ServiceAccountCredential.Initializer("some-id")
{
UseJwtAccessWithScopes = useJwtAccessWithScopes,
Clock = clock
}.FromPrivateKey(PrivateKey);
var cred = new ServiceAccountCredential(initializer);
Assert.False(cred.HasExplicitScopes); // Must be false for the remainder of this test to be valid.
var jwt0 = await cred.GetAccessTokenForRequestAsync("uri0");
byte[] decoded = TokenEncodingHelpers.Base64UrlDecode(jwt0.Split(new char[] { '.' })[1]);
string payload = System.Text.Encoding.UTF8.GetString(decoded);
Assert.Contains("\"aud\":\"uri0\"", payload);
Assert.DoesNotContain("scope", payload);
}
public async Task FetchesOidcToken_CorrectPayloadSent()
{
// A little bit after the tokens returned from OidcTokenFakes were issued.
var clock = new MockClock(new DateTime(2020, 5, 13, 15, 0, 0, 0, DateTimeKind.Utc));
var messageHandler = new OidcTokenResponseSuccessMessageHandler();
var initializer = new ServiceAccountCredential.Initializer("MyId", "http://will.be.ignored")
{
Clock = clock,
ProjectId = "a_project_id",
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ServiceAccountCredential(initializer.FromPrivateKey(PrivateKey));
var expectedPayload = new JsonWebSignature.Payload
{
Issuer = "MyId",
Subject = "MyId",
Audience = GoogleAuthConsts.OidcTokenUrl,
IssuedAtTimeSeconds = (long)(clock.UtcNow - UnixEpoch).TotalSeconds,
ExpirationTimeSeconds = (long)(clock.UtcNow.Add(JwtLifetime) - UnixEpoch).TotalSeconds,
TargetAudience = "any_audience"
};
var serializedExpectedPayload = NewtonsoftJsonSerializer.Instance.Serialize(expectedPayload);
var urlSafeEncodedExpectedPayload = TokenEncodingHelpers.UrlSafeBase64Encode(serializedExpectedPayload);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience"));
await oidcToken.GetAccessTokenAsync();
var requestFormDict = messageHandler.LatestRequestContent.Split('&')
.ToDictionary(entry => entry.Split('=')[0], entry => entry.Split('=')[1]);
var assertion = requestFormDict["assertion"];
// Assertion format shoould be headers.payload.signature
var encodedPayload = assertion.Split('.')[1];
Assert.Contains(urlSafeEncodedExpectedPayload, encodedPayload);
}
public async Task FromStream_ServiceAccountCredential_GetJwtAccessToken()
{
var stream = new MemoryStream(Encoding.UTF8.GetBytes(DummyServiceAccountCredentialFileContents));
var credential = GoogleCredential.FromStream(stream);
// Without adding scopes, the credential should be generating JWT scopes.
string accessToken = await(credential as ITokenAccess).GetAccessTokenForRequestAsync(DummyAuthUri);
var parts = accessToken.Split(new[] { '.' });
Assert.Equal(3, parts.Length);
var header = NewtonsoftJsonSerializer.Instance.Deserialize <JsonWebSignature.Header>(TokenEncodingHelpers.Base64UrlToString(parts[0]));
Assert.Equal("JWT", header.Type);
Assert.Equal("RS256", header.Algorithm);
var payload = NewtonsoftJsonSerializer.Instance.Deserialize <JsonWebSignature.Payload>(TokenEncodingHelpers.Base64UrlToString(parts[1]));
Assert.Equal("CLIENT_EMAIL", payload.Issuer);
Assert.Equal("CLIENT_EMAIL", payload.Subject);
Assert.Equal(DummyAuthUri, payload.Audience);
Assert.Equal(3600, payload.ExpirationTimeSeconds - payload.IssuedAtTimeSeconds);
}
