/// <summary>
/// Requests a new token as specified in
/// https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.
/// </summary>
/// <param name="taskCancellationToken">Cancellation token to cancel operation.</param>
/// <returns><c>true</c> if a new token was received successfully.</returns>
public override async Task <bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
{
string serializedHeader = CreateSerializedHeader();
string serializedPayload = GetSerializedPayload();
StringBuilder assertion = new StringBuilder();
assertion.Append(UrlSafeBase64Encode(serializedHeader))
.Append(".")
.Append(UrlSafeBase64Encode(serializedPayload));
// Sign the header and the payload.
var hashAlg = new SHA256CryptoServiceProvider();
byte[] assertionHash = hashAlg.ComputeHash(Encoding.ASCII.GetBytes(assertion.ToString()));
var signature = UrlSafeBase64Encode(key.SignHash(assertionHash, "2.16.840.1.101.3.4.2.1" /* SHA256 OIG */));
assertion.Append(".").Append(signature);
// Create the request.
var request = new GoogleAssertionTokenRequest()
{
Assertion = assertion.ToString()
};
Logger.Debug("Request a new access token. Assertion data is: " + request.Assertion);
var newToken = await request.ExecuteAsync(HttpClient, TokenServerUrl, taskCancellationToken, Clock)
.ConfigureAwait(false);
Token = newToken;
return(true);
}
/// <summary>
/// Requests a new token as specified in
/// https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.
/// </summary>
/// <param name="taskCancellationToken">Cancellation token to cancel operation.</param>
/// <returns><c>true</c> if a new token was received successfully.</returns>
public async Task <bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
{
string serializedHeader = CreateSerializedHeader();
string serializedPayload = GetSerializedPayload();
StringBuilder assertion = new StringBuilder();
assertion.Append(UrlSafeBase64Encode(serializedHeader))
.Append(".")
.Append(UrlSafeBase64Encode(serializedPayload));
// Sign the header and the payload.
var signature = UrlSafeBase64Encode(key.SignData(Encoding.ASCII.GetBytes(assertion.ToString()), "SHA256"));
assertion.Append(".").Append(signature);
// Create the request.
var request = new GoogleAssertionTokenRequest()
{
Assertion = assertion.ToString()
};
Logger.Debug("Request a new access token. Assertion data is: " + request.Assertion);
var newToken = await request.ExecuteAsync(httpClient, tokenServerUrl, taskCancellationToken, Clock)
.ConfigureAwait(false);
Token = newToken;
return(true);
}
private async Task <bool> RefreshOidcTokenAsync(TokenRefreshManager caller, OidcTokenOptions options, CancellationToken cancellationToken)
{
var now = Clock.UtcNow;
var jwtExpiry = now + JwtLifetime;
string jwtForOidc = CreateJwtAccessTokenForOidc(options, now, jwtExpiry);
var req = new GoogleAssertionTokenRequest()
{
Assertion = jwtForOidc
};
caller.Token = await req.ExecuteAsync(HttpClient, TokenServerUrl, cancellationToken, Clock).ConfigureAwait(false);
return(true);
}
/// <summary>
/// Requests a new token as specified in
/// https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.
/// </summary>
/// <param name="taskCancellationToken">Cancellation token to cancel operation.</param>
/// <returns><c>true</c> if a new token was received successfully.</returns>
public override async Task <bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
{
// Create the request.
var request = new GoogleAssertionTokenRequest()
{
Assertion = CreateAssertionFromPayload(CreatePayload())
};
Logger.Debug("Request a new access token. Assertion data is: " + request.Assertion);
var newToken = await request.ExecuteAsync(HttpClient, TokenServerUrl, taskCancellationToken, Clock)
.ConfigureAwait(false);
Token = newToken;
return(true);
}
/// <summary>
/// Authenticates using the client id and credentials, then fetches
/// the uri.
/// </summary>
/// <param name="iapClientId">The client id observed on
/// https://console.cloud.google.com/apis/credentials.</param>
/// <param name="credentialsFilePath">Path to the credentials .json file
/// download from https://console.cloud.google.com/apis/credentials.
/// </param>
/// <param name="uri">HTTP uri to fetch.</param>
/// <returns>The http response body as a string.</returns>
public static string InvokeRequest(string iapClientId,
string credentialsFilePath, string uri)
{
// Read credentials from the credentials .json file.
ServiceAccountCredential saCredential;
using (var fs = new FileStream(credentialsFilePath,
FileMode.Open, FileAccess.Read))
{
saCredential = ServiceAccountCredential
.FromServiceAccountData(fs);
}
// Generate a JWT signed with the service account's private key
// containing a special "target_audience" claim.
var jwtBasedAccessToken =
CreateAccessToken(saCredential, iapClientId);
// Request an OIDC token for the Cloud IAP-secured client ID.
var req = new GoogleAssertionTokenRequest()
{
Assertion = jwtBasedAccessToken
};
var result = req.ExecuteAsync(saCredential.HttpClient,
saCredential.TokenServerUrl, CancellationToken.None,
saCredential.Clock).Result;
string token = result.IdToken;
// Include the OIDC token in an Authorization: Bearer header to
// IAP-secured resource
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", token);
string response = httpClient.GetStringAsync(uri).Result;
return(response);
}