feat: Returning an issuer claim on request errors (#656)

Timur Sadykov · arithmetic1728 · web-flow · commit 659d382f8325 · 2021-05-17T12:28:51.000-07:00
* logging issuer claim for service account on errors

Co-authored-by: arithmetic1728 &lt;58957152+arithmetic1728@users.noreply.github.com&gt;
diff --git a/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -609,7 +609,10 @@ public boolean isRequired(HttpResponse response) {
       response = request.execute();
     } catch (IOException e) {
       throw new IOException(
-          String.format("Error getting access token for service account: %s", e.getMessage()), e);
+          String.format(
+              "Error getting access token for service account: %s, iss: %s",
+              e.getMessage(), getIssuer()),
+          e);
     }
 
     GenericData responseData = response.parseAs(GenericData.class);
@@ -648,7 +651,16 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
     HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
     request.setParser(new JsonObjectParser(jsonFactory));
-    HttpResponse response = request.execute();
+    HttpResponse response;
+    try {
+      response = request.execute();
+    } catch (IOException e) {
+      throw new IOException(
+          String.format(
+              "Error getting id token for service account: %s, iss: %s",
+              e.getMessage(), getIssuer()),
+          e);
+    }
 
     GenericData responseData = response.parseAs(GenericData.class);
     String rawToken = OAuth2Utils.validateString(responseData, "id_token", PARSE_ERROR_PREFIX);
@@ -755,6 +767,10 @@ public final URI getTokenServerUri() {
     return tokenServerUri;
   }
 
+  private String getIssuer() {
+    return this.clientEmail;
+  }
+
   @VisibleForTesting
   int getLifetime() {
     return lifetime;
@@ -787,7 +803,7 @@ public byte[] sign(byte[] toSign) {
   @Override
   public JwtCredentials jwtWithClaims(JwtClaims newClaims) {
     JwtClaims.Builder claimsBuilder =
-        JwtClaims.newBuilder().setIssuer(clientEmail).setSubject(clientEmail);
+        JwtClaims.newBuilder().setIssuer(getIssuer()).setSubject(clientEmail);
     return JwtCredentials.newBuilder()
         .setPrivateKey(privateKey)
         .setPrivateKeyId(privateKeyId)
@@ -862,7 +878,7 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     header.setKeyId(privateKeyId);
 
     JsonWebToken.Payload payload = new JsonWebToken.Payload();
-    payload.setIssuer(clientEmail);
+    payload.setIssuer(getIssuer());
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
@@ -898,7 +914,7 @@ String createAssertionForIdToken(
     header.setKeyId(privateKeyId);
 
     JsonWebToken.Payload payload = new JsonWebToken.Payload();
-    payload.setIssuer(clientEmail);
+    payload.setIssuer(getIssuer());
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
diff --git a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -1189,6 +1189,37 @@ public void fromStream_noClientEmail_throws() throws IOException {
     testFromStreamException(serviceAccountStream, "client_email");
   }
 
+  @Test
+  public void getIdTokenWithAudience_badEmailError_issClaimTraced() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    MockTokenServerTransport transport = transportFactory.transport;
+    transport.setError(new IOException("Invalid grant: Account not found"));
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID,
+            CLIENT_EMAIL,
+            PRIVATE_KEY_PKCS8,
+            PRIVATE_KEY_ID,
+            SCOPES,
+            transportFactory,
+            null);
+
+    String targetAudience = "https://bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+
+    String expectedErrorMessage = String.format("iss: %s", CLIENT_EMAIL);
+
+    try {
+      tokenCredential.refresh();
+    } catch (IOException expected) {
+      assertTrue(expected.getMessage().contains(expectedErrorMessage));
+    }
+  }
+
   @Test
   public void fromStream_noPrivateKey_throws() throws IOException {
     InputStream serviceAccountStream =
