From 622c5d57e401754bcdaf99beee1fe0c1136fe3d9 Mon Sep 17 00:00:00 2001
From: Shapor Naghibzadeh <shapor@gmail.com>
Date: Tue, 17 May 2022 10:13:16 -0700
Subject: [PATCH] google/google: set JWT Audience in JWTConfigFromJSON()

Add support to set JWT Audience in JWTConfigFromJSON() to allow setting
the audience field from the JSON config, rather than only allowing it
the default value of the token_uri.

Previous change 272766 (approved but abandoned).

Change-Id: I14d46f3628df0a04801949bf99520b210e778f99
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/406836
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
---
 google/google.go      |  1 +
 google/google_test.go | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/google/google.go b/google/google.go
index ccc23ee..ceddd5d 100644
--- a/google/google.go
+++ b/google/google.go
@@ -139,6 +139,7 @@ func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config
 		Scopes:       scopes,
 		TokenURL:     f.TokenURL,
 		Subject:      subject, // This is the user email to impersonate
+		Audience:     f.Audience,
 	}
 	if cfg.TokenURL == "" {
 		cfg.TokenURL = JWTTokenURL
diff --git a/google/google_test.go b/google/google_test.go
index be30b08..ea01049 100644
--- a/google/google_test.go
+++ b/google/google_test.go
@@ -37,7 +37,8 @@ var jwtJSONKey = []byte(`{
   "client_email": "gopher@developer.gserviceaccount.com",
   "client_id": "gopher.apps.googleusercontent.com",
   "token_uri": "https://accounts.google.com/o/gophers/token",
-  "type": "service_account"
+  "type": "service_account",
+  "audience": "https://testservice.googleapis.com/"
 }`)
 
 var jwtJSONKeyNoTokenURL = []byte(`{
@@ -48,6 +49,15 @@ var jwtJSONKeyNoTokenURL = []byte(`{
   "type": "service_account"
 }`)
 
+var jwtJSONKeyNoAudience = []byte(`{
+  "private_key_id": "268f54e43a1af97cfc71731688434f45aca15c8b",
+  "private_key": "super secret key",
+  "client_email": "gopher@developer.gserviceaccount.com",
+  "client_id": "gopher.apps.googleusercontent.com",
+  "token_uri": "https://accounts.google.com/o/gophers/token",
+  "type": "service_account"
+}`)
+
 func TestConfigFromJSON(t *testing.T) {
 	conf, err := ConfigFromJSON(webJSONKey, "scope1", "scope2")
 	if err != nil {
@@ -103,6 +113,9 @@ func TestJWTConfigFromJSON(t *testing.T) {
 	if got, want := conf.TokenURL, "https://accounts.google.com/o/gophers/token"; got != want {
 		t.Errorf("TokenURL = %q; want %q", got, want)
 	}
+	if got, want := conf.Audience, "https://testservice.googleapis.com/"; got != want {
+		t.Errorf("Audience = %q; want %q", got, want)
+	}
 }
 
 func TestJWTConfigFromJSONNoTokenURL(t *testing.T) {
@@ -114,3 +127,13 @@ func TestJWTConfigFromJSONNoTokenURL(t *testing.T) {
 		t.Errorf("TokenURL = %q; want %q", got, want)
 	}
 }
+
+func TestJWTConfigFromJSONNoAudience(t *testing.T) {
+	conf, err := JWTConfigFromJSON(jwtJSONKeyNoAudience, "scope1", "scope2")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got, want := conf.Audience, ""; got != want {
+		t.Errorf("Audience = %q; want %q", got, want)
+	}
+}