DoJWTAuthorization generates a JWT instead of an OAuth token. Only works for certain APIs. See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth.
(issuer, aud string)
| 1044 | // DoJWTAuthorization generates a JWT instead of an OAuth token. Only works for |
| 1045 | // certain APIs. See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth. |
| 1046 | func (o *oauth) DoJWTAuthorization(issuer, aud string) (*token, error) { |
| 1047 | pemBytes := []byte(o.clientSecret) |
| 1048 | block, _ := pem.Decode(pemBytes) |
| 1049 | if block == nil { |
| 1050 | return nil, fmt.Errorf("failed to read private key pem block") |
| 1051 | } |
| 1052 | priv, err := x509.ParsePKCS8PrivateKey(block.Bytes) |
| 1053 | if err != nil { |
| 1054 | return nil, errors.Wrap(err, "error parsing private key") |
| 1055 | } |
| 1056 | |
| 1057 | // Add claims |
| 1058 | now := int(time.Now().Unix()) |
| 1059 | c := map[string]interface{}{ |
| 1060 | "aud": aud, |
| 1061 | "nbf": now, |
| 1062 | "iat": now, |
| 1063 | "exp": now + 3600, |
| 1064 | "iss": issuer, |
| 1065 | "sub": issuer, |
| 1066 | } |
| 1067 | |
| 1068 | so := new(jose.SignerOptions) |
| 1069 | so.WithType("JWT") |
| 1070 | so.WithHeader("kid", o.clientID) |
| 1071 | |
| 1072 | // Sign JWT |
| 1073 | signer, err := jose.NewSigner(jose.SigningKey{ |
| 1074 | Algorithm: "RS256", |
| 1075 | Key: priv, |
| 1076 | }, so) |
| 1077 | if err != nil { |
| 1078 | return nil, errors.Wrapf(err, "error creating JWT signer") |
| 1079 | } |
| 1080 | |
| 1081 | raw, err := jose.Signed(signer).Claims(c).CompactSerialize() |
| 1082 | if err != nil { |
| 1083 | return nil, errors.Wrapf(err, "error serializing JWT") |
| 1084 | } |
| 1085 | |
| 1086 | tok := &token{raw, "", "", 3600, "Bearer", "", "", ""} |
| 1087 | return tok, nil |
| 1088 | } |
| 1089 | |
| 1090 | // ServeHTTP is the handler that performs the OAuth 2.0 dance and returns the |
| 1091 | // tokens using channels. |
no test coverage detected