DownscopedClient

Defines a set of Google credentials that are downscoped from an existing set of Google OAuth2 credentials. This is useful to restrict the Identity and Access Management (IAM) permissions that a short-lived credential can use. The common pattern of usage is to have a token broker with elevated access generate these downscoped credentials from higher access source credentials and pass the downscoped short-lived access tokens to a token consumer via some secure authenticated channel for limited access to Google Cloud Storage resources.

Constructor

new DownscopedClient(options, credentialAccessBoundary)

Instantiates a downscoped client object using the provided source AuthClient and credential access boundary rules. To downscope permissions of a source AuthClient, a Credential Access Boundary that specifies which resources the new credential can access, as well as an upper bound on the permissions that are available on each resource, has to be defined. A downscoped client can then be instantiated using the source AuthClient and the Credential Access Boundary.

Parameters:

Name	Type	Description
`options`		the `DownscopedClientOptions` to use. Passing an `AuthClient` directly is @DEPRECATED.
`credentialAccessBoundary`		@DEPRECATED. Provide a `DownscopedClientOptions` object in the first parameter instead.

Methods

(async) getRequestHeaders()

The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

The result has the form: { authorization: 'Bearer <access_token_value>' }

isExpired(downscopedAccessToken)

Returns whether the provided credentials are expired or not. If there is no expiry time, assumes the token is not expired or expiring.

Parameters:

Name	Type	Description
`downscopedAccessToken`		The credentials to check for expiration.

Returns:

Type	Description
	Whether the credentials are expired or not.

(async) refreshAccessTokenAsync()

Forces token refresh, even if unexpired tokens are currently cached. GCP access tokens are retrieved from authclient object/source credential. Then GCP access tokens are exchanged for downscoped access tokens via the token exchange endpoint.

Returns:

Type	Description
	A promise that resolves with the fresh downscoped access token.

(async) requestAsync(opts, reAuthRetried)

Authenticates the provided HTTP request, processes it and resolves with the returned response.

Parameters:

Name	Type	Default	Description
`opts`			The HTTP request options.
`reAuthRetried`		false	Whether the current attempt is a retry after a failed attempt due to an auth failure

Returns:

Type	Description
	A promise that resolves with the successful response.

setCredentials(credentials)

Provides a mechanism to inject Downscoped access tokens directly. The expiry_date field is required to facilitate determination of the token expiration which would make it easier for the token consumer to handle.

Parameters:

Name	Type	Description
`credentials`		The Credentials object to set on the current client.