feat: Add support for Workforce Identity Pools external credentials.

Author: amanda-tarafa

Src/Support/Google.Apis.Auth.Tests/OAuth2/DefaultCredentialProviderTests.cs

@@ -126,6 +126,20 @@ public class DefaultCredentialProviderTests
 ""subject_token_type"": ""urn:ietf:params:oauth:token-type:jwt"",
 ""service_account_impersonation_url"": ""https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$EMAIL:generateAccessToken"",
 ""token_url"": ""https://sts.googleapis.com/v1/token"",
+""credential_source"": {
+  ""headers"": {
+    ""Metadata"": ""True""
+  },
+  ""url"": ""http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID"",
+  ""format"": {
+    ""type"": ""json"",
+    ""subject_token_field_name"": ""access_token""}}}";
+        private const string DummyUrlSourcedWorkforceExternalAccountCredentialFileContents = @"{
+""type"":""external_account"",
+""audience"":""//iam.googleapis.com/locations/global/workforcePools/pool/providers/oidc-google"",
+""subject_token_type"":""urn:ietf:params:oauth:token-type:id_token"",
+""token_url"":""https://sts.googleapis.com/v1/token"",
+""workforce_pool_user_project"": ""user_project"",
 ""credential_source"": {
   ""headers"": {
     ""Metadata"": ""True""
@@ -267,6 +281,20 @@ public async Task GetDefaultCredential_UrlSourcedExternalAccountCredential_Imper
             Assert.IsType<ImpersonatedCredential>(impersonatedExternalCredential.ImplicitlyImpersonated.Value);
         }
 
+        [Fact]
+        public async Task GetDefaultCredential_UrlSourcedExternalAccountCredential_WorkforceIdentity()
+        {
+            // Setup fake environment variables and credential file contents.
+            var credentialFilepath = "TempFilePath.json";
+            credentialProvider.SetEnvironmentVariable(CredentialEnvironmentVariable, credentialFilepath);
+            credentialProvider.SetFileContents(credentialFilepath, DummyUrlSourcedWorkforceExternalAccountCredentialFileContents);
+
+            var credential = await credentialProvider.GetDefaultCredentialAsync();
+
+            var workforceCredntial = Assert.IsType<UrlSourcedExternalAccountCredential>(credential.UnderlyingCredential);
+            Assert.Equal("user_project", workforceCredntial.WorkforcePoolUserProject);
+        }
+
         #endregion
 
         #region Invalid Cases

Src/Support/Google.Apis.Auth.Tests/OAuth2/UrlSourcedExternalAccountCredentialTest.cs

@@ -47,6 +47,7 @@ public class UrlSourcedExternalAccountCredentialsTests
         private const string ImpersonationScope = "https://www.googleapis.com/auth/iam";
         private const string ClientId = "dummy_client_ID";
         private const string ClientSecret = "dummy_client_secret";
+        private const string WorkforcePoolUserProject = "dummy_workforce_project";
 
         private const string AccessToken = "dummy_access_token";
         private const string RefreshedAccessToken = "dummy_refreshed_access_token";
@@ -67,16 +68,25 @@ private static Task<HttpResponseMessage> ValidateSubjectTokenRequest(HttpRequest
             });
         }
 
-        private static async Task<HttpResponseMessage> ValidateAccessTokenRequest(HttpRequestMessage accessTokenRequest, string scope)
+        private static async Task<HttpResponseMessage> ValidateAccessTokenRequest(HttpRequestMessage accessTokenRequest, string scope, bool isWorkforce = false)
         {
             Assert.Equal(TokenUrl, accessTokenRequest.RequestUri.ToString());
             Assert.Equal(HttpMethod.Post, accessTokenRequest.Method);
 
-            Assert.Equal("Basic", accessTokenRequest.Headers.Authorization.Scheme);
-            Assert.Equal(Convert.ToBase64String(Encoding.UTF8.GetBytes($"{ClientId}:{ClientSecret}")), accessTokenRequest.Headers.Authorization.Parameter);
-
             string contentText = WebUtility.UrlDecode(await accessTokenRequest.Content.ReadAsStringAsync());
 
+            if (isWorkforce)
+            {
+                Assert.Null(accessTokenRequest.Headers.Authorization);
+                Assert.Contains($"options={{\"userProject\":\"{WorkforcePoolUserProject}\"}}", contentText);
+            }
+            else
+            {
+                Assert.Equal("Basic", accessTokenRequest.Headers.Authorization.Scheme);
+                Assert.Equal(Convert.ToBase64String(Encoding.UTF8.GetBytes($"{ClientId}:{ClientSecret}")), accessTokenRequest.Headers.Authorization.Parameter);
+                Assert.DoesNotContain("options=", contentText);
+            }
+
             Assert.Contains(GrantTypeClaim, contentText);
             Assert.Contains(RequestedTokenTypeClaim, contentText);
             Assert.Contains($"audience={Audience}", contentText);
@@ -179,6 +189,58 @@ static async Task<HttpResponseMessage> ValidateImpersonatedAccessTokenRequest(Ht
             }
         }
 
+        [Fact]
+        public async Task FetchesAccessToken_Workforce()
+        {
+            var messageHandler = new DelegatedMessageHandler(ValidateSubjectTokenRequest, request => ValidateAccessTokenRequest(request, Scope, isWorkforce: true));
+
+            var credential = new UrlSourcedExternalAccountCredential(
+                new UrlSourcedExternalAccountCredential.Initializer(TokenUrl, Audience, SubjectTokenType, SubjectTokenUrl)
+                {
+                    HttpClientFactory = new MockHttpClientFactory(messageHandler),
+                    Headers = { { SubjectTokenServiceHeader } },
+                    WorkforcePoolUserProject = WorkforcePoolUserProject,
+                    Scopes = new string[] { Scope },
+                    QuotaProject = QuotaProject
+                });
+
+            var token = await credential.GetAccessTokenWithHeadersForRequestAsync();
+
+            Assert.Equal(AccessToken, token.AccessToken);
+            var header = Assert.Single(token.Headers);
+            Assert.Equal(QuotaProjectHeaderName, header.Key);
+            var headerValue = Assert.Single(header.Value);
+            Assert.Equal(QuotaProject, headerValue);
+            Assert.Equal(2, messageHandler.Calls);
+        }
+
+        [Fact]
+        public async Task FetchesAccessToken_ClientIdAndSecret_IgnoresWorkforce()
+        {
+            var messageHandler = new DelegatedMessageHandler(ValidateSubjectTokenRequest, request => ValidateAccessTokenRequest(request, Scope, isWorkforce: false));
+
+            var credential = new UrlSourcedExternalAccountCredential(
+                new UrlSourcedExternalAccountCredential.Initializer(TokenUrl, Audience, SubjectTokenType, SubjectTokenUrl)
+                {
+                    HttpClientFactory = new MockHttpClientFactory(messageHandler),
+                    Headers = { { SubjectTokenServiceHeader } },
+                    WorkforcePoolUserProject = WorkforcePoolUserProject,
+                    ClientId = ClientId,
+                    ClientSecret = ClientSecret,
+                    Scopes = new string[] { Scope },
+                    QuotaProject = QuotaProject
+                });
+
+            var token = await credential.GetAccessTokenWithHeadersForRequestAsync();
+
+            Assert.Equal(AccessToken, token.AccessToken);
+            var header = Assert.Single(token.Headers);
+            Assert.Equal(QuotaProjectHeaderName, header.Key);
+            var headerValue = Assert.Single(header.Value);
+            Assert.Equal(QuotaProject, headerValue);
+            Assert.Equal(2, messageHandler.Calls);
+        }
+
         [Fact]
         public async Task FetchesAccessToken_JsonSubjectToken()
         {

Src/Support/Google.Apis.Auth/OAuth2/DefaultCredentialProvider.cs

@@ -288,6 +288,7 @@ private static IGoogleCredential CreateExternalCredentialFromParameters(JsonCred
                 {
                     QuotaProject = parameters.QuotaProject,
                     ServiceAccountImpersonationUrl = parameters.ServiceAccountImpersonationUrl,
+                    WorkforcePoolUserProject = parameters.WorkforcePoolUserProject,
                     ClientId = parameters.ClientId,
                     ClientSecret = parameters.ClientSecret,
                     SubjectTokenJsonFieldName = parameters.CredentialSourceConfig.Format?.Type?.Equals("json", StringComparison.OrdinalIgnoreCase) == true

Src/Support/Google.Apis.Auth/OAuth2/ExternalAccountCredential.cs

@@ -54,6 +54,17 @@ public abstract class ExternalAccountCredential : ServiceCredential
             /// </summary>
             internal string ServiceAccountImpersonationUrl { get; set; }
 
+            /// <summary>
+            /// The GCP project number to be used for Workforce Identity Pools
+            /// external credentials.
+            /// </summary>
+            /// <remarks>
+            /// If this external account credential represents a Workforce Identity Pool
+            /// enabled identity and this values is not specified, then an API key needs to be
+            /// used alongside this credential to call Google APIs.
+            /// </remarks>
+            public string WorkforcePoolUserProject { get; set; }
+
             /// <summary>
             /// The Client ID.
             /// </summary>
@@ -87,6 +98,7 @@ internal Initializer(Initializer other) : base(other)
                 Audience = other.Audience;
                 SubjectTokenType = other.SubjectTokenType;
                 ServiceAccountImpersonationUrl = other.ServiceAccountImpersonationUrl;
+                WorkforcePoolUserProject = other.WorkforcePoolUserProject;
                 ClientId = other.ClientId;
                 ClientSecret = other.ClientSecret;
             }
@@ -96,6 +108,7 @@ internal Initializer(ExternalAccountCredential other) : base(other)
                 Audience = other.Audience;
                 SubjectTokenType = other.SubjectTokenType;
                 ServiceAccountImpersonationUrl= other.ServiceAccountImpersonationUrl;
+                WorkforcePoolUserProject= other.WorkforcePoolUserProject;
                 ClientId = other.ClientId;
                 ClientSecret = other.ClientSecret;
             }
@@ -120,6 +133,18 @@ internal Initializer(ExternalAccountCredential other) : base(other)
         /// </summary>
         public string ServiceAccountImpersonationUrl { get; }
 
+        /// <summary>
+        /// The GCP project number to be used for Workforce Pools
+        /// external credentials.
+        /// </summary>
+        /// <remarks>
+        /// If this external account credential represents a Workforce Pool
+        /// enabled identity and this values is not specified, then an API key needs to be
+        /// used alongside this credential to call Google APIs.
+        /// </remarks>
+        public string WorkforcePoolUserProject { get; }
+
+
         /// <summary>
         /// The Client ID.
         /// </summary>
@@ -168,6 +193,7 @@ internal ExternalAccountCredential(Initializer initializer) : base(initializer)
             Audience = initializer.Audience;
             SubjectTokenType = initializer.SubjectTokenType;
             ServiceAccountImpersonationUrl = initializer.ServiceAccountImpersonationUrl;
+            WorkforcePoolUserProject = initializer.WorkforcePoolUserProject;
             ClientId = initializer.ClientId;
             ClientSecret = initializer.ClientSecret;
             WithoutImpersonationConfiguration = new Lazy<GoogleCredential>(WithoutImpersonationConfigurationImpl, LazyThreadSafetyMode.ExecutionAndPublication);
@@ -240,17 +266,18 @@ static string ExtractTargetPrincipal(string url)
 
         private protected async Task<TokenResponse> RequestStsAccessTokenAsync(CancellationToken taskCancellationToken)
         {
-            StsTokenRequest request = new StsTokenRequest
+            StsTokenRequest request = new StsTokenRequestBuilder
             {
                 Audience = Audience,
                 GrantType = GrantType,
                 RequestedTokenType = RequestedTokenType,
-                Scope = HasExplicitScopes ? string.Join(" ", Scopes) : null,
+                Scopes = Scopes,
                 SubjectToken = await GetSubjectTokenAsync(taskCancellationToken).ConfigureAwait(false),
                 SubjectTokenType = SubjectTokenType,
+                WorkforcePoolUserProject = WorkforcePoolUserProject,
                 ClientId = ClientId,
                 ClientSecret = ClientSecret,
-            };
+            }.Build();
 
             return await request
                 .ExecuteAsync(HttpClient, TokenServerUrl, Clock, Logger, taskCancellationToken)

Src/Support/Google.Apis.Auth/OAuth2/JsonCredentialParameters.cs

@@ -131,6 +131,18 @@ public class JsonCredentialParameters
         [JsonProperty("service_account_impersonation_url")]
         public string ServiceAccountImpersonationUrl { get; set; }
 
+        /// <summary>
+        /// The GCP project number to be used for Workforce Pools
+        /// external credentials.
+        /// </summary>
+        /// <remarks>
+        /// If this external account credential represents a Workforce Pool
+        /// enabled identity and this values is not specified, then an API key needs to be
+        /// used alongside this credential to call Google APIs.
+        /// </remarks>
+        [JsonProperty("workforce_pool_user_project")]
+        public string WorkforcePoolUserProject { get; set; }
+
         /// <summary>
         /// The credential source associated with an external account credential.
         /// </summary>

Src/Support/Google.Apis.Auth/OAuth2/Requests/StsRequestTokenBuilder.cs

@@ -0,0 +1,99 @@
+/*
+Copyright 2022 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+using Google.Apis.Json;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http.Headers;
+using System.Text;
+
+namespace Google.Apis.Auth.OAuth2.Requests
+{
+    /// <summary>
+    /// Builder for <see cref="StsTokenRequest"/>.
+    /// </summary>
+    internal class StsTokenRequestBuilder
+    {
+        /// <summary>
+        /// Gets the grant type for this request.
+        /// Only <code>urn:ietf:params:oauth:grant-type:token-exchange</code> is currently supported.
+        /// </summary>
+        public string GrantType { get; set; }
+
+        /// <summary>
+        /// The audience for which the requested token is intended. For instance:
+        /// "//iam.googleapis.com/projects/my-project-id/locations/global/workloadIdentityPools/my-pool-id/providers/my-provider-id"
+        /// </summary>
+        public string Audience { get; set; }
+
+        /// <summary>
+        /// The list of desired scopes for the requested token.
+        /// </summary>
+        public IEnumerable<string> Scopes { get; set; }
+
+        /// <summary>
+        /// The type of the requested security token.
+        /// Only <code>urn:ietf:params:oauth:token-type:access_token</code> is currently supported.
+        /// </summary>
+        public string RequestedTokenType { get; set; }
+
+        /// <summary>
+        /// In terms of Google 3PI support, this is the 3PI credential.
+        /// </summary>
+        public string SubjectToken { get; set; }
+
+        /// <summary>
+        /// The subject token type.
+        /// </summary>
+        public string SubjectTokenType { get; set; }
+
+        /// <summary>
+        /// Client ID and client secret are not part of STS token exchange spec.
+        /// But in the context of Google 3PI they are used to perform basic authorization
+        /// for token exchange.
+        /// </summary>
+        public string ClientId { get; set; }
+
+        /// <summary>
+        /// Client ID and client secret are not part of STS token exchange spec.
+        /// But in the context of Google 3PI they are used to perform basic authorization
+        /// for token exchange.
+        /// </summary>
+        public string ClientSecret { get; set; }
+
+        /// <summary>
+        /// The GCP project number to be used for Workforce Pools
+        /// external credentials. To be included in the request as part of options.
+        /// </summary>
+        public string WorkforcePoolUserProject { get; set; }
+
+        public StsTokenRequest Build()
+        {
+            var authenticationHeader = (ClientId is string && ClientSecret is string)
+                ? new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes($"{ClientId}:{ClientSecret}")))
+                : null;
+
+            var options = (authenticationHeader is null && WorkforcePoolUserProject is string)
+                ? NewtonsoftJsonSerializer.Instance.Serialize(new { userProject = WorkforcePoolUserProject })
+                : null;
+
+            var scope = Scopes?.Any() == true ? string.Join(" ", Scopes) : null;
+
+            return new StsTokenRequest(GrantType, Audience, scope, RequestedTokenType, SubjectToken, SubjectTokenType, options, authenticationHeader);
+        }
+    }
+}