feat: service account is able to use a private token endpoint (#784)
In [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect), users can use an endpoint which is private to their VPC network. The request is eventually routed to the oauth2.googleapis.com/token so the "aud" in the assertion still should be oauth2.googleapis.com/token.
After this change, service account can send requests to the private endpoint (if configured) and still use the oauth2.googleapis.com/token in the assertion.
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
index dd36589..8f18f26 100644
--- a/google/oauth2/service_account.py
+++ b/google/oauth2/service_account.py
@@ -80,6 +80,7 @@
from google.oauth2 import _client
_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
+_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
class Credentials(
@@ -382,7 +383,7 @@
# The issuer must be the service account email.
"iss": self._service_account_email,
# The audience must be the auth token endpoint's URI
- "aud": self._token_uri,
+ "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT,
"scope": _helpers.scopes_to_string(self._scopes or ()),
}
@@ -643,7 +644,7 @@
# The issuer must be the service account email.
"iss": self.service_account_email,
# The audience must be the auth token endpoint's URI
- "aud": self._token_uri,
+ "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT,
# The target audience specifies which service the ID token is
# intended for.
"target_audience": self._target_audience,
diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py
index 5852d37..370438f 100644
--- a/tests/oauth2/test_service_account.py
+++ b/tests/oauth2/test_service_account.py
@@ -167,7 +167,7 @@
token = credentials._make_authorization_grant_assertion()
payload = jwt.decode(token, PUBLIC_CERT_BYTES)
assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
- assert payload["aud"] == self.TOKEN_URI
+ assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT
def test__make_authorization_grant_assertion_scoped(self):
credentials = self.make_credentials()
@@ -440,7 +440,7 @@
token = credentials._make_authorization_grant_assertion()
payload = jwt.decode(token, PUBLIC_CERT_BYTES)
assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
- assert payload["aud"] == self.TOKEN_URI
+ assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT
assert payload["target_audience"] == self.TARGET_AUDIENCE
@mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True)
diff --git a/tests_async/oauth2/test_service_account_async.py b/tests_async/oauth2/test_service_account_async.py
index 4079453..3dce13d 100644
--- a/tests_async/oauth2/test_service_account_async.py
+++ b/tests_async/oauth2/test_service_account_async.py
@@ -152,7 +152,10 @@
token = credentials._make_authorization_grant_assertion()
payload = jwt.decode(token, test_service_account.PUBLIC_CERT_BYTES)
assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
- assert payload["aud"] == self.TOKEN_URI
+ assert (
+ payload["aud"]
+ == service_account.service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT
+ )
def test__make_authorization_grant_assertion_scoped(self):
credentials = self.make_credentials()
@@ -311,7 +314,10 @@
token = credentials._make_authorization_grant_assertion()
payload = jwt.decode(token, test_service_account.PUBLIC_CERT_BYTES)
assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
- assert payload["aud"] == self.TOKEN_URI
+ assert (
+ payload["aud"]
+ == service_account.service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT
+ )
assert payload["target_audience"] == self.TARGET_AUDIENCE
@mock.patch("google.oauth2._client_async.id_token_jwt_grant", autospec=True)