Bug fixes for JWT with scope and token extras (#124)

README.md

@@ -262,17 +262,17 @@ $ oauth2l fetch --type oauth --credentials ~/client_credentials.json --scope clo
 
 When jwt is selected and the json file specified in the `--credentials` option
 is a service account key file, a JWT token signed by the service account private
-key will be generated. Either `--scope` or `--audience` must be specified for
+key will be generated. Either `--audience` or `--scope` must be specified for
 this option. See how to construct the audience [here](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth).
 
-- With scope:
+- With audience:
  ```bash
- $ oauth2l fetch --type jwt --credentials ~/client_credentials.json --scope cloud-platform
+ $ oauth2l fetch --type jwt --credentials ~/service_account.json --audience https://pubsub.googleapis.com/
  ```
 
-- With audience:
+- With scope:
  ```bash
- $ oauth2l fetch --type jwt --credentials ~/service_account.json --audience https://pubsub.googleapis.com/
+ $ oauth2l fetch --type jwt --credentials ~/service_account.json --scope cloud-platform
  ```
 
 #### sso

integration/golden/no-scope-or-audience.golden

@@ -1 +1 @@
-neither audience nor scope is provided
+Neither audience nor scope argument is provided for JWT

main.go

@@ -316,11 +316,17 @@ func main() {
  }
  }
 
+ scopes := getScopesWithFallback(scope, remainingArgs...)
+ if audience == "" && len(scopes) < 1 {
+ fmt.Println("Neither audience nor scope argument is provided for JWT")
+ return
+ }
+
  settings = &util.Settings{
  AuthType: util.AuthTypeJWT,
  CredentialsJSON: json,
  Audience: audience,
- Scope: scope,
+ Scope: parseScopes(scopes),
  }
  } else if authType == util.AuthTypeSSO {
  // Fallback to reading email from first remaining arg

util/cache.go

@@ -53,7 +53,6 @@ func LookupCache(settings *Settings) (*oauth2.Token, error) {
  if CacheLocation == "" {
  return nil, nil
  }
- var token oauth2.Token
  var cache, err = loadCache()
  if err != nil {
  return nil, err
@@ -63,11 +62,7 @@ func LookupCache(settings *Settings) (*oauth2.Token, error) {
  return nil, err
  }
  val := cache[string(key)]
- err = json.Unmarshal(val, &token)
- if err != nil {
- return nil, err
- }
- return &token, nil
+ return UnmarshalWithExtras(val)
 }
 
 func InsertCache(settings *Settings, token *oauth2.Token) error {
@@ -78,7 +73,7 @@ func InsertCache(settings *Settings, token *oauth2.Token) error {
  if err != nil {
  return err
  }
- val, err := json.Marshal(*token)
+ val, err := MarshalWithExtras(token, "")
  if err != nil {
  return err
  }
@@ -155,3 +150,43 @@ func GuessUnixHomeDir() string {
  }
  return ""
 }
+
+// Marshals the given oauth2.Token into a JSON bytearray and include Extra
+// fields that normally would be omitted with default marshalling.
+func MarshalWithExtras(token *oauth2.Token, indent string) ([]byte, error) {
+ data, err := json.Marshal(token)
+ if err != nil {
+ return nil, err
+ }
+ var m map[string]string
+ err = json.Unmarshal(data, &m)
+ if err != nil {
+ return nil, err
+ }
+ if token.Extra("issued_token_type") != nil {
+ m["issued_token_type"] = token.Extra("issued_token_type").(string)
+ }
+ if token.Extra("id_token") != nil {
+ m["id_token"] = token.Extra("id_token").(string)
+ }
+ if token.Extra("scope") != nil {
+ m["scope"] = token.Extra("scope").(string)
+ }
+ return json.MarshalIndent(m, "", indent)
+}
+
+// Unmarshals the given JSON bytearray into oauth2.Token and include Extra
+// fields that normally would be omitted with default unmarshalling.
+func UnmarshalWithExtras(data []byte) (*oauth2.Token, error) {
+ var extra map[string]interface{}
+ err := json.Unmarshal(data, &extra)
+ if err != nil {
+ return nil, err
+ }
+ var token oauth2.Token
+ err = json.Unmarshal(data, &token)
+ if err != nil {
+ return nil, err
+ }
+ return token.WithExtra(extra), nil
+}

util/fetch.go

@@ -40,8 +40,7 @@ func newTokenSource(ctx context.Context, settings *Settings) (*oauth2.TokenSourc
  } else if settings.GetAuthType() == AuthTypeJWT {
  ts, err = JWTTokenSource(ctx, settings)
  } else {
- return nil, fmt.Errorf(
- "Unsupported authentcation method: %s", settings.GetAuthType())
+ return nil, fmt.Errorf("Unsupported authentcation method: %s", settings.GetAuthType())
  }
  if err != nil {
  return nil, err
@@ -86,7 +85,7 @@ func JWTTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource
  } else if settings.Scope != "" {
  return google.JWTAccessTokenSourceWithScope(creds.JSON, settings.Scope)
  } else {
- return nil, errors.New("neither audience nor scope is provided")
+ return nil, errors.New("Neither audience nor scope is provided for JWTTokenSource")
  }
 }
 

util/tasks.go

@@ -227,27 +227,6 @@ func getCredentialType(creds *google.Credentials) string {
  return ""
 }
 
-// Marshals the given oauth2.Token into a JSON bytearray and include Extra
-// fields that normally would be omitted with default marshalling.
-func marshalWithExtras(token *oauth2.Token, indent string) ([]byte, error) {
- data, err := json.Marshal(token)
- if err != nil {
- return nil, err
- }
- var m map[string]string
- err = json.Unmarshal(data, &m)
- if err != nil {
- return nil, err
- }
- if token.Extra("issued_token_type") != nil {
- m["issued_token_type"] = token.Extra("issued_token_type").(string)
- }
- if token.Extra("id_token") != nil {
- m["id_token"] = token.Extra("id_token").(string)
- }
- return json.MarshalIndent(m, "", indent)
-}
-
 // Prints the token with the specified format.
 func printToken(token *oauth2.Token, format string, settings *Settings) {
  if token != nil {
@@ -295,7 +274,7 @@ func printHeader(tokenType string, token string) {
 }
 
 func printJson(token *oauth2.Token, indent string) {
- data, err := marshalWithExtras(token, indent)
+ data, err := MarshalWithExtras(token, indent)
  if err != nil {
  log.Fatal(err.Error())
  return