public async Task OidcTokenProvider_ComputeCredential()
{
// This test only executes on GCE so we are certain to have a ComputeCredential.
GoogleCredential credential = GoogleCredential.FromComputeCredential();
OidcToken token = await credential.GetOidcTokenAsync(
OidcTokenOptions.FromTargetAudience("https://this.is.a.test"));
// Check an access token (really id_token) is available.
Assert.NotNull(await token.GetAccessTokenAsync());
// If IdToken is set and AccessToken is not, AccessToken is set to
// IdToken, so we can always check here that AccessToken is not null.
Assert.NotNull(token.TokenResponse.AccessToken);
// The enpoint does not send an expiry, bu we set it to the id_token
// expiry.
Assert.NotNull(token.TokenResponse.ExpiresInSeconds);
var verificationOptions = new SignedTokenVerificationOptions();
verificationOptions.TrustedAudiences.Add("https://this.is.a.test");
var payload = await JsonWebSignature.VerifySignedTokenAsync(await token.GetAccessTokenAsync(), verificationOptions);
Assert.NotNull(payload);
Assert.Contains("https://this.is.a.test", payload.AudienceAsList);
}
/// <summary>
/// Obtains an OIDC token for authentication an IAP request.
/// </summary>
/// <param name="iapClientId">The client ID observed on
/// https://console.cloud.google.com/apis/credentials. </param>
/// <param name="cancellationToken">The token to propagate operation cancel notifications.</param>
/// <returns>The HTTP response message.</returns>
public async Task <OidcToken> GetOidcTokenAsync(string iapClientId, CancellationToken cancellationToken)
{
// Obtain the application default credentials.
GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync(cancellationToken);
// Request an OIDC token for the Cloud IAP-secured client ID.
return(await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(iapClientId), cancellationToken));
}
/// <summary>
/// Obtains an OIDC token for authentication an IAP request.
/// </summary>
/// <param name="iapClientId">The client ID observed on
/// https://console.cloud.google.com/apis/credentials. </param>
/// <param name="credentialsFilePath">Path to the credentials .json file
/// downloaded from https://console.cloud.google.com/apis/credentials.
/// </param>
/// <param name="cancellationToken">The token to propagate operation cancel notifications.</param>
/// <returns>The HTTP response message.</returns>
public async Task <OidcToken> GetOidcTokenAsync(string iapClientId, string credentialsFilePath, CancellationToken cancellationToken)
{
// Read credentials from the credentials .json file.
GoogleCredential credential = await GoogleCredential
.FromFileAsync(credentialsFilePath, cancellationToken).ConfigureAwait(false);
// Request an OIDC token for the Cloud IAP-secured client ID.
return(await credential
.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(iapClientId), cancellationToken).ConfigureAwait(false));
}