From 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33 Mon Sep 17 00:00:00 2001 From: Chris Broadfoot Date: Tue, 7 May 2019 16:52:07 -0700 Subject: [PATCH] google: add some metadata to GCE tokens to identify the token's source This is required for the direct path feature, which only works with this token source. It's not currently possible to determine the token source type from the return value of FindDefaultCredentials. Another option is to add another field to the Credentials struct, which we could still do later, but direct path is currently pretty experimental and whitelisted/opt-in, so I don't want to add to the public API surface unnecessarily. This CL functionally blocks https://code-review.googlesource.com/c/google-api-go-client/+/40950 Change-Id: Ifb5fe9c6e5c6b33eebb87b45d3c70eebfca691b3 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/175877 Reviewed-by: Chris Broadfoot --- google/google.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/google/google.go b/google/google.go index 6eb2aa9..81de32b 100644 --- a/google/google.go +++ b/google/google.go @@ -194,9 +194,16 @@ func (cs computeSource) Token() (*oauth2.Token, error) { if res.ExpiresInSec == 0 || res.AccessToken == "" { return nil, fmt.Errorf("oauth2/google: incomplete token received from metadata") } - return &oauth2.Token{ + tok := &oauth2.Token{ AccessToken: res.AccessToken, TokenType: res.TokenType, Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second), - }, nil + } + // NOTE(cbro): add hidden metadata about where the token is from. + // This is needed for detection by client libraries to know that credentials come from the metadata server. + // This may be removed in a future version of this library. + return tok.WithExtra(map[string]interface{}{ + "oauth2.google.tokenSource": "compute-metadata", + "oauth2.google.serviceAccount": acct, + }), nil }