jclouds中Google的手动身份验证，分离令牌获取

Question

我需要将认证阶段从Google的Api创建中分离出来，但很难(对我来说)做到这一点。

这一点非常重要，因为我正在创建一个REST，它应该接收先前获得的授权令牌，而不是直接从其用户那里接收出于安全原因的凭据，因为使用令牌，我可以设置RFC 6750中指定的生存期限制。

我有以下代码：

public class Main { 

    public static void main(String[] args) {      
      
        // Reads the JSON credential file provided by Google
        String jsonContent = readJson(args[1]);  
        
        // Pass the credential content
        GoogleComputeEngineApi googleApi = 
                createApi(jsonContent); 
    }
    
    public static GoogleComputeEngineApi createApi(final String jsonCredentialContent) {
        try {
            Supplier<Credentials> credentialSupplier = new GoogleCredentialsFromJson(
                    jsonCredentialContent);

            ComputeServiceContext context = ContextBuilder
                    .newBuilder("google-compute-engine")
                    .credentialsSupplier(credentialSupplier)
                    .buildView(ComputeServiceContext.class);

            Credentials credentials = credentialSupplier.get();
            ContextBuilder contextBuilder = ContextBuilder
                    .newBuilder(GoogleComputeEngineProviderMetadata.builder()
                            .build())
                    .credentials(credentials.identity, credentials.credential);

            Injector injector = contextBuilder.buildInjector();
            return injector.getInstance(GoogleComputeEngineApi.class);
            
        } catch (Exception e) {
            System.out.println(e.getMessage());
            e.printStackTrace();
            return null;
        }
    }  
}

下面是一个符合我需要的假代码：

public class Main { 
            
    public static void main(String[] args) {        
        
        String jsonCredentialContent = readJson(args[1]);  
        String oauthToken = "";
        
        // First acquires the OAuth token
        if(getAuthenticationType("google-compute-engine").equals("oauth")) {
            oauthToken = getTokenForOAuth(jsonCredentialContent);
        }        
                    
        // Creates the Api with the previously acquired token
        GoogleComputeEngineApi googleApi = 
                createApi(oauthToken); 
    }       
    
    [...]
    
}

Answer 1

您可以直接使用jclouds API来获取承载令牌，如下所示：

GoogleCredentialsFromJson credentials = new GoogleCredentialsFromJson(jsoncreds);

AuthorizationApi oauth = ContextBuilder.newBuilder("google-compute-engine")
    .credentialsSupplier(credentials)
    .buildApi(AuthorizationApi.class);

try {
    long nowInSeconds = System.currentTimeMillis() / 1000;
    Claims claims = Claims.create(
        credentials.get().identity, // issuer
        "https://www.googleapis.com/auth/compute", // write scope
        "https://accounts.google.com/o/oauth2/token", // audience
        nowInSeconds + 60, // token expiration (seconds)
        nowInSeconds // current time (secods)
    );
    Token token = oauth.authorize(claims);
    System.out.println(token);
} finally {
    oauth.close();
}

一旦您拥有了Bearer访问令牌，您就可以使用它创建jclouds上下文，如下所示：

// Override GCE default Oauth flow (JWT) by the Bearer token flow
Properties overrides = new Properties();
overrides.put(OAuthProperties.CREDENTIAL_TYPE, CredentialType.BEARER_TOKEN_CREDENTIALS.toString());

// It is important to set the proper identity too, as it is used to resolve the GCE project
ComputeServiceContext ctx = ContextBuilder.newBuilder("google-compute-engine")
    .overrides(overrides)
    .credentials(credentials.get().identity, token.accessToken())
    .buildView(ComputeServiceContext.class);

GoogleComputeEngineApi google = ctx.unwrapApi(GoogleComputeEngineApi.class);