google/downscope: additional examples

Updating examples to match the expected token broker & token consumer paradigm. Change-Id: I9f6474e6d433e544dc92d8b1595e9538a5266043 GitHub-Last-Rev: 2149795f02 GitHub-Pull-Request: golang/oauth2#513 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/339190 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Reviewed-by: Cody Oss <codyoss@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Chris Broadfoot <cbro@golang.org> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-08-09 20:35:43 +00:00 · 2021-08-09 20:35:43 +00:00 · faf39c7919
parent 6f1e639406
commit faf39c7919
2 changed files with 29 additions and 16 deletions
--- a/google/downscope/downscoping.go
+++ b/google/downscope/downscoping.go
@ -15,7 +15,7 @@ it has over those resources, and optionally  attribute-based conditional
 access to the aforementioned resources. For more information on IAM
 Conditions, see https://cloud.google.com/iam/docs/conditions-overview.

-This functionality would typically be used to provide a third party with
+This functionality can be used to provide a third party with
 limited access to and permissions on resources held by the owner of the root
 credential or internally in conjunction with the principle of least privilege
 to ensure that internal services only hold the minimum necessary privileges
--- a/google/downscope/tokenbroker_test.go
+++ b/google/downscope/tokenbroker_test.go
@ -8,13 +8,19 @@ import (
 	"context"
 	"fmt"

+	"golang.org/x/oauth2/google"
+
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google/downscope"
 )

 func ExampleNewTokenSource() {
+	// This shows how to generate a downscoped token. This code would be run on the
+	// token broker, which holds the root token used to generate the downscoped token.
 	ctx := context.Background()
-	// Initializes an accessBoundary with one Rule.
+	// Initializes an accessBoundary with one Rule which restricts the downscoped
+	// token to only be able to access the bucket "foo" and only grants it the
+	// permission "storage.objectViewer".
 	accessBoundary := []downscope.AccessBoundaryRule{
 		{
 			AvailableResource:    "//storage.googleapis.com/projects/_/buckets/foo",
@ -26,7 +32,7 @@ func ExampleNewTokenSource() {
 	// This Source can be initialized in multiple ways; the following example uses
 	// Application Default Credentials.

-	// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
+	rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")

 	dts, err := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
 	if err != nil {
@ -34,11 +40,18 @@ func ExampleNewTokenSource() {
 		return
 	}

-	// Enables automatic token refreshing
-	_ = oauth2.ReuseTokenSource(nil, dts)
+	tok, err := dts.Token()
+	if err != nil {
+		fmt.Printf("failed to generate token: %v", err)
+		return
+	}
+	_ = tok
+	// You can now pass tok to a token consumer however you wish, such as exposing
+	// a REST API and sending it over HTTP.

-	// You can now use the token held in myTokenSource to make
+	// You can instead use the token held in dts to make
 	// Google Cloud Storage calls, as follows:

-	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
+	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(dts))
+
 }