turcsanyip commented on code in PR #10485:
URL: https://github.com/apache/nifi/pull/10485#discussion_r2488261814
##########
nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java:
##########
@@ -143,13 +161,70 @@ public void migrateProperties(PropertyConfiguration
config) {
}
private GoogleCredentials getGoogleCredentials(final ConfigurationContext
context) throws IOException {
+ if (context.getProperty(IDENTITY_FEDERATION_TOKEN_PROVIDER).isSet()) {
+ return getFederatedGoogleCredentials(context);
+ }
+
final ProxyConfiguration proxyConfiguration =
ProxyConfiguration.getConfiguration(context);
final HttpTransportFactory transportFactory = new
ProxyAwareTransportFactory(proxyConfiguration);
return
credentialsProviderFactory.getGoogleCredentials(context.getProperties(),
transportFactory);
}
+ private GoogleCredentials getFederatedGoogleCredentials(final
ConfigurationContext context) {
+ final GCPIdentityFederationTokenProvider tokenProvider =
context.getProperty(IDENTITY_FEDERATION_TOKEN_PROVIDER)
+ .asControllerService(GCPIdentityFederationTokenProvider.class);
+ final AccessToken accessToken = tokenProvider.getAccessDetails();
+
+ if (accessToken == null ||
StringUtils.isBlank(accessToken.getAccessToken())) {
+ throw new ProcessException("Identity Federation Token Provider
returned no access token");
+ }
+
+ final Instant fetchTime =
Objects.requireNonNull(accessToken.getFetchTime(), "Access token fetch time
required");
+ long expiresIn = accessToken.getExpiresIn();
+ if (expiresIn <= 0) {
+ expiresIn = 300;
+ }
+
+ final Instant expirationInstant = fetchTime.plusSeconds(expiresIn);
+ final Date expiration = Date.from(expirationInstant);
+
+ final com.google.auth.oauth2.AccessToken googleAccessToken = new
com.google.auth.oauth2.AccessToken(accessToken.getAccessToken(), expiration);
+ return GoogleCredentials.create(googleAccessToken);
Review Comment:
@pvillard31 I managed to test the new credential but when the access token
expires, it is not refreshed and does not work anymore.
`GoogleCredentials.create(AccessToken)` seems to create a static credential.
```
OAuth2Credentials instance does not support refreshing the access token. An
instance with a new access token should be used, or a derived type that
supports refreshing.
```
So I think a dynamic credential should be created that the underlying GCP
client library can use to get a new token when it is needed.
I have not tried it but I believe it is
[IdentityPoolCredentials](https://github.com/googleapis/google-auth-library-java/blob/39fdc647c2e14d8006a758fa81dbaeff63fed74e/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java#L51)
what we need here. Its builder has `setSubjectTokenSupplier()` where our
`OAuth2AccessTokenProvider` could be hooked in. As far as I understand, the
token exchange is handled internally so our responsibility is only to provide
an up-to-date subject token whenever it is requested.
What do you think? Could you please confirm that the access token does not
work after expiration?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
