(ctx context.Context, httpClient HTTPDoer)
| 167 | } |
| 168 | |
| 169 | func (w *WorkloadIdentityAuth) refreshToken(ctx context.Context, httpClient HTTPDoer) (string, error) { |
| 170 | if httpClient == nil { |
| 171 | httpClient = http.DefaultClient |
| 172 | } |
| 173 | |
| 174 | subjectToken, err := w.config.Provider.GetToken(ctx, httpClient) |
| 175 | if err != nil { |
| 176 | return "", err |
| 177 | } |
| 178 | |
| 179 | subjectTokenType := w.config.Provider.TokenType() |
| 180 | var subjectTokenTypeURN string |
| 181 | switch subjectTokenType { |
| 182 | case SubjectTokenTypeJWT: |
| 183 | subjectTokenTypeURN = JWTTokenType |
| 184 | case SubjectTokenTypeID: |
| 185 | subjectTokenTypeURN = IDTokenType |
| 186 | default: |
| 187 | return "", fmt.Errorf("unsupported subject token type %q", subjectTokenType) |
| 188 | } |
| 189 | |
| 190 | requestBody := tokenExchangeRequest{ |
| 191 | GrantType: TokenExchangeGrantType, |
| 192 | ClientID: w.config.ClientID, |
| 193 | SubjectToken: subjectToken, |
| 194 | SubjectTokenType: subjectTokenTypeURN, |
| 195 | IdentityProviderID: w.config.IdentityProviderID, |
| 196 | ServiceAccountID: w.config.ServiceAccountID, |
| 197 | } |
| 198 | |
| 199 | jsonBody, err := json.Marshal(requestBody) |
| 200 | if err != nil { |
| 201 | return "", fmt.Errorf("failed to marshal token exchange request: %w", err) |
| 202 | } |
| 203 | |
| 204 | req, err := http.NewRequestWithContext(ctx, "POST", TokenExchangeURL, bytes.NewReader(jsonBody)) |
| 205 | if err != nil { |
| 206 | return "", fmt.Errorf("failed to create token exchange request: %w", err) |
| 207 | } |
| 208 | req.Header.Set("Content-Type", "application/json") |
| 209 | |
| 210 | resp, err := httpClient.Do(req) |
| 211 | if err != nil { |
| 212 | return "", fmt.Errorf("failed to exchange token: %w", err) |
| 213 | } |
| 214 | defer resp.Body.Close() |
| 215 | |
| 216 | body, err := io.ReadAll(resp.Body) |
| 217 | if err != nil { |
| 218 | return "", fmt.Errorf("failed to read token exchange response: %w", err) |
| 219 | } |
| 220 | |
| 221 | if resp.StatusCode == http.StatusBadRequest || resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden { |
| 222 | var oauthErr struct { |
| 223 | Error string `json:"error"` |
| 224 | ErrorDescription string `json:"error_description"` |
| 225 | } |
| 226 | if json.Unmarshal(body, &oauthErr) == nil { |
no test coverage detected