UNPKG

google-sa-id-token

Version:

Fetch ID Token for Service Account when running in GCloud

github.com/mdovhopo/google-sa-id-token

mdovhopo/google-sa-id-token

150 lines (107 loc) 5.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# google-sa-id-token [![Deploy](https://github.com/mdovhopo/google-sa-id-token/workflows/build/badge.svg)](https://github.com/mdovhopo/google-sa-id-token/actions) [![Coverage Status](https://coveralls.io/repos/github/mdovhopo/google-sa-id-token/badge.svg?branch=master)](https://coveralls.io/github/mdovhopo/google-sa-id-token?branch=master) Fetch ID Token for Service Account when running in GCloud. Lib also caches tokens & auto-refreshes, to improve performance. By default, tokens will expire `2s` earlier that actuall expiry date, to prevent usage of almost expired token. This behaviour can be changed via options. ## Installation: ```sh npm i google-sa-id-token ``` ## Usage ### Get an id Token for default identity (Application Default Credentials) ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken(); const token = await client.fetchIdToken(aud); console.log(token); // example output // eyJhbGciOiJSUzI1NiIsImtpZCI6IjAxNWFkMDYwZDJiNDQ1MzU5YzliMTA1ZjgwM2RjNzU4YzI5ZjE5ODJkNjFhMWU0ZjFmZGM4ZjBiN2UyNjVjYzQxZTIwMDVlMjM1YzIxMTQ1IiwidHlwIjoiSldUIn0.eyJhdWQiOiJkZWZhdWx0IiwiYXpwIjoiPGV4YW1wbGUtc2VydmljZS1hY2NvdW50LWlkPiIsImVtYWlsIjoiZXhhbXBsZUBwcm9qZWN0LWlkLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MTY0MjYzMTI0Mzg2MCwiaWF0IjoxNjQyNjI3NjQzODYwLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiI8ZXhhbXBsZS1zZXJ2aWNlLWFjY291bnQtaWQ-In0.+UpJvARVRn6ESlEr+Gyk4VA+QJV6QzqQP1E7gY2u5D3oKgjBzhlWcxmihDCCO3BFnACes4sMG+VXXqmuQW/pjw== ``` ### Get an id Token for default identity (Application Default Credentials) & default aud ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken({ defaultAudience: aud }); const token = await client.fetchIdToken(); console.log(token); // example output // eyJhbGciOiJSUzI1NiIsImtpZCI6IjAxNWFkMDYwZDJiNDQ1MzU5YzliMTA1ZjgwM2RjNzU4YzI5ZjE5ODJkNjFhMWU0ZjFmZGM4ZjBiN2UyNjVjYzQxZTIwMDVlMjM1YzIxMTQ1IiwidHlwIjoiSldUIn0.eyJhdWQiOiJkZWZhdWx0IiwiYXpwIjoiPGV4YW1wbGUtc2VydmljZS1hY2NvdW50LWlkPiIsImVtYWlsIjoiZXhhbXBsZUBwcm9qZWN0LWlkLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MTY0MjYzMTI0Mzg2MCwiaWF0IjoxNjQyNjI3NjQzODYwLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiI8ZXhhbXBsZS1zZXJ2aWNlLWFjY291bnQtaWQ-In0.+UpJvARVRn6ESlEr+Gyk4VA+QJV6QzqQP1E7gY2u5D3oKgjBzhlWcxmihDCCO3BFnACes4sMG+VXXqmuQW/pjw== ``` ### Add decoded token to response ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken(); const token = await client.fetchIdTokenDecoded(aud); console.log(token); // example output // { // raw: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjAxNWFkMDYwZDJiNDQ1MzU5YzliMTA1ZjgwM2RjNzU4YzI5ZjE5ODJkNjFhMWU0ZjFmZGM4ZjBiN2UyNjVjYzQxZTIwMDVlMjM1YzIxMTQ1IiwidHlwIjoiSldUIn0.eyJhdWQiOiJkZWZhdWx0IiwiYXpwIjoiPGV4YW1wbGUtc2VydmljZS1hY2NvdW50LWlkPiIsImVtYWlsIjoiZXhhbXBsZUBwcm9qZWN0LWlkLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MTY0MjYzMTI0Mzg2MCwiaWF0IjoxNjQyNjI3NjQzODYwLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiI8ZXhhbXBsZS1zZXJ2aWNlLWFjY291bnQtaWQ-In0.+UpJvARVRn6ESlEr+Gyk4VA+QJV6QzqQP1E7gY2u5D3oKgjBzhlWcxmihDCCO3BFnACes4sMG+VXXqmuQW/pjw==", // payload: { // aud: 'default', // azp: '<example-service-account-id>', // email: 'example@project-id.iam.gserviceaccount.com', // email_verified: true, // exp: 1642631243860, // iat: 1642627643860, // iss: 'https://accounts.google.com', // sub: '<example-service-account-id>' // } // } ``` ### Fetch token, ignoring cache. ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken(); const token = await client.fetchIdTokenNoCache(aud); console.log(token); // example output // { // raw: ".......", // payload: { // ... // } // } ``` ### Use different service account ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken({ serviceAccountEmail: 'example@project-id.iam.iam.gserviceaccount.com' }); const token = await client.fetchIdTokenNoCache(aud); ``` ### Debug problems Lib allows you to 'hook in' to different parts of flow, by providing optional logger instance. ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const logger = { info: console.log, error: console.error, } const client = new GoogleSaIdToken({ logger }); const token = await client.fetchIdToken(aud); // your console logs will be invoked ``` ### Set custom expiry margin for tokens ```typescript import { GoogleSaIdToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken({ tokenExpiryMargin: 10000 /* 10 seconds */ }); const token = await client.fetchIdTokenNoCache(aud); ``` ### Utils usage, provided by lib ```typescript import { GoogleSaIdToken, decodeSaToken } from 'google-sa-id-token'; const client = new GoogleSaIdToken({ tokenExpiryMargin: 10000 /* 10 seconds */ }); const token = await client.fetchIdTokenNoCache(aud); // utils const decoded = decodeSaToken(token); const sampleToken = generateExampleSaToken({ aud: 'override' }); // testing example with jest jest .spyOn(GoogleSaIdToken.prototype, 'fetchIdToken') .mockResolvedValue( Promise.resolve(generateExampleSaToken({ aud: 'test' }).raw), ); ``` Bootstrapped with: [create-ts-lib-gh](https://github.com/glebbash/create-ts-lib-gh) This project is [MIT Licensed](LICENSE).