Update token creation (#3443)

Author: averikitsch

run/markdown-preview/editor/pom.xml

@@ -56,6 +56,11 @@
       <artifactId>okhttp</artifactId>
       <version>4.8.0</version>
     </dependency>
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
+      <version>0.21.1</version>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>

run/markdown-preview/editor/src/main/java/com/example/cloudrun/RenderController.java

@@ -16,6 +16,9 @@
 
 package com.example.cloudrun;
 
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.IdTokenCredentials;
+import com.google.auth.oauth2.IdTokenProvider;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 import okhttp3.MediaType;
@@ -42,10 +45,11 @@ public String render(@RequestBody Data data) {
 
     String url = System.getenv("EDITOR_UPSTREAM_RENDER_URL");
     if (url == null) {
-      logger.error(
+      String msg =
           "No configuration for upstream render service: "
-          + "add EDITOR_UPSTREAM_RENDER_URL environment variable");
-      throw new IllegalStateException();
+              + "add EDITOR_UPSTREAM_RENDER_URL environment variable";
+      logger.error(msg);
+      throw new IllegalStateException(msg);
     }
 
     String html = makeAuthenticatedRequest(url, markdown);
@@ -61,42 +65,37 @@ public String render(@RequestBody Data data) {
           .build();
 
   // [START run_secure_request]
+  // makeAuthenticatedRequest creates a new HTTP request authenticated by a JSON Web Tokens (JWT)
+  // retrievd from Application Default Credentials.
   public String makeAuthenticatedRequest(String url, String markdown) {
-    Request.Builder serviceRequest = new Request.Builder().url(url);
+    String html = "";
+    try {
+      // Retrieve Application Default Credentials
+      GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
+      IdTokenCredentials tokenCredentials =
+          IdTokenCredentials.newBuilder()
+              .setIdTokenProvider((IdTokenProvider) credentials)
+              .setTargetAudience(url)
+              .build();
 
-    // If env var, "EDITOR_UPSTREAM_UNAUTHENTICATED", is not set then use authentication
-    Boolean authenticated = !Boolean.valueOf(System.getenv("EDITOR_UPSTREAM_UNAUTHENTICATED"));
-    if (authenticated) {
-      // Set up metadata server request
-      // https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature
-      String tokenUrl =
-          String.format(
-              "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=%s",
-              url);
-      Request tokenRequest =
-          new Request.Builder().url(tokenUrl).addHeader("Metadata-Flavor", "Google").get().build();
-      try {
-        // Fetch the token
-        Response tokenResponse = ok.newCall(tokenRequest).execute();
-        String token = tokenResponse.body().string();
-        // Provide the token in the request to the receiving service
-        serviceRequest.addHeader("Authorization", "Bearer " + token);
-      } catch (IOException e) {
-        logger.error("Unable to get authorization token", e);
-      }
-    }
+      // Create an ID token
+      String token = tokenCredentials.refreshAccessToken().getTokenValue();
+      // Instantiate HTTP request
+      MediaType contentType = MediaType.get("text/plain; charset=utf-8");
+      okhttp3.RequestBody body = okhttp3.RequestBody.create(markdown, contentType);
+      Request request =
+          new Request.Builder()
+              .url(url)
+              .addHeader("Authorization", "Bearer " + token)
+              .post(body)
+              .build();
 
-    MediaType contentType = MediaType.get("text/plain; charset=utf-8");
-    okhttp3.RequestBody body = okhttp3.RequestBody.create(markdown, contentType);
-    String response = "";
-    try {
-      Response serviceResponse = ok.newCall(serviceRequest.post(body).build()).execute();
-      response = serviceResponse.body().string();
+      Response response = ok.newCall(request).execute();
+      html = response.body().string();
     } catch (IOException e) {
       logger.error("Unable to get rendered data", e);
     }
-
-    return response;
+    return html;
   }
   // [END run_secure_request]
 }