Add an audience field to the config

Author: irby

api/v1alpha1/issuer_types.go

@@ -81,6 +81,14 @@ type IssuerSpec struct {
 	// effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
 	// +optional
 	Scopes string `json:"scopes,omitempty"`
+
+	// The audience value used when requesting a Bearer token from an ambient token provider implied
+	// by the environment, rather than by commandSecretName. For example, could be set to
+	// https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+	// the URL of your Command environment.Has no effect on OAuth 2.0 Client Credential configuration - please specify
+	// the audience for this method in an Opaque secret.
+	// +optional
+	Audience string `json:"audience,omitempty"`
 }
 
 func (i *Issuer) GetStatus() *IssuerStatus {

config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml

@@ -85,6 +85,13 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

internal/command/client.go

@@ -131,6 +131,7 @@ var (
 type gcp struct {
 	tokenSource oauth2.TokenSource
 	scopes      []string
+	audience    string
 }
 
 // GetAccessToken implements TokenCredential.
@@ -146,7 +147,7 @@ func (g *gcp) GetAccessToken(ctx context.Context) (string, error) {
 		log.Info(fmt.Sprintf("Generating a Google OIDC ID Token"))
 
 		// Use credentials to generate a JWT (requires a service account)
-		tokenSource, err := idtoken.NewTokenSource(ctx, "command", idtoken.WithCredentialsJSON(credentials.JSON))
+		tokenSource, err := idtoken.NewTokenSource(ctx, g.audience, idtoken.WithCredentialsJSON(credentials.JSON))
 		if err != nil {
 			return "", fmt.Errorf("%w: failed to get GCP ID Token Source: %w", errTokenFetchFailure, err)
 		}
@@ -178,9 +179,10 @@ func (g *gcp) GetAccessToken(ctx context.Context) (string, error) {
 	return token.AccessToken, nil
 }
 
-func newGCPDefaultCredentialSource(ctx context.Context, scopes []string) (*gcp, error) {
+func newGCPDefaultCredentialSource(ctx context.Context, audience string, scopes []string) (*gcp, error) {
 	source := &gcp{
-		scopes: scopes,
+		scopes:   scopes,
+		audience: audience,
 	}
 	_, err := source.GetAccessToken(ctx)
 	if err != nil {
@@ -191,8 +193,8 @@ func newGCPDefaultCredentialSource(ctx context.Context, scopes []string) (*gcp,
 }
 
 // TODO: Remove this before merging
-func NewGCPDefaultCredentialSource(ctx context.Context, scopes []string) (*gcp, error) {
-	return newGCPDefaultCredentialSource(ctx, scopes)
+func NewGCPDefaultCredentialSource(ctx context.Context, audience string, scopes []string) (*gcp, error) {
+	return newGCPDefaultCredentialSource(ctx, audience, scopes)
 }
 
 // TODO: Remove this before merging

internal/command/command.go

@@ -75,12 +75,13 @@ type signer struct {
 }
 
 type Config struct {
-	Hostname                string
-	APIPath                 string
-	CaCertsBytes            []byte
-	BasicAuth               *BasicAuth
-	OAuth                   *OAuth
-	AmbientCredentialScopes []string
+	Hostname                  string
+	APIPath                   string
+	CaCertsBytes              []byte
+	BasicAuth                 *BasicAuth
+	OAuth                     *OAuth
+	AmbientCredentialScopes   []string
+	AmbientCredentialAudience string
 }
 
 func (c *Config) validate() error {
@@ -207,7 +208,7 @@ func newServerConfig(ctx context.Context, config *Config) (*auth_providers.Serve
 				log.Info("couldn't obtain Azure DefaultAzureCredential. trying GCP ApplicationDefaultCredentials", "error", err)
 
 				var innerErr error
-				source, innerErr = newGCPDefaultCredentialSource(ctx, config.AmbientCredentialScopes)
+				source, innerErr = newGCPDefaultCredentialSource(ctx, config.AmbientCredentialAudience, config.AmbientCredentialScopes)
 				if innerErr != nil {
 					return nil, fmt.Errorf("%w: azure err: %w. gcp err: %w", errAmbientCredentialCreationFailure, err, innerErr)
 				}

internal/controller/issuer_controller.go

@@ -235,12 +235,13 @@ func commandConfigFromIssuer(ctx context.Context, c client.Client, issuer comman
 	}
 
 	return &command.Config{
-		Hostname:                issuer.GetSpec().Hostname,
-		APIPath:                 issuer.GetSpec().APIPath,
-		CaCertsBytes:            caCertBytes,
-		BasicAuth:               basicAuth,
-		OAuth:                   oauth,
-		AmbientCredentialScopes: strings.Split(issuer.GetSpec().Scopes, ","),
+		Hostname:                  issuer.GetSpec().Hostname,
+		APIPath:                   issuer.GetSpec().APIPath,
+		CaCertsBytes:              caCertBytes,
+		BasicAuth:                 basicAuth,
+		OAuth:                     oauth,
+		AmbientCredentialScopes:   strings.Split(issuer.GetSpec().Scopes, ","),
+		AmbientCredentialAudience: issuer.GetSpec().Audience,
 	}, nil
 }
 

sample/main.go

@@ -33,7 +33,7 @@ func main() {
 	}, funcr.Options{})
 	ctx := logr.NewContext(context.Background(), logger)
 	log := log.FromContext(ctx)
-	source, err := command.NewGCPDefaultCredentialSource(ctx, []string{"openid", "profile", "email", "https://www.googleapis.com/auth/cloud-platform"})
+	source, err := command.NewGCPDefaultCredentialSource(ctx, "https://example.com", []string{"openid", "profile", "email", "https://www.googleapis.com/auth/cloud-platform"})
 	if err != nil {
 		log.Error(err, fmt.Sprintf("Error getting credentials: %s", err))
 		return
@@ -44,9 +44,10 @@ func main() {
 		return
 	}
 	log.Info(fmt.Sprintf("source obtained: %s", token))
-	isValid := command.ValidateToken(ctx, token, "command")
+	isValid := command.ValidateToken(ctx, token, "https://example1.com")
 	if !isValid {
-		log.Info(fmt.Sprintf("Token not valid"))
+		log.Info(fmt.Sprintf("ERROR: Token not valid"))
+	} else {
+		log.Info(fmt.Sprintf("Success! Token successfully validated"))
 	}
-	log.Info(fmt.Sprintf("Token successfully validated"))
 }