Support the scopes option in workload identity (#178)

peburrows · Dec 20, 2024 · 4551d0b · 4551d0b
1 parent 2ac9f6e
commit 4551d0b
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/lib/goth/token.ex b/lib/goth/token.ex
@@ -292,7 +292,7 @@ defmodule Goth.Token do
           "service_account_impersonation_url" => service_account_impersonation_url
         }
 
-        request(%{config | source: {:workload_identity, credentials}})
+        request(%{config | source: {:workload_identity, credentials, opts}})
     end
   end
 
@@ -372,6 +372,11 @@ defmodule Goth.Token do
   end
 
   defp request(%{source: {:workload_identity, credentials}} = config) do
+    request(%{config | source: {:workload_identity, credentials, []}})
+  end
+
+  defp request(%{source: {:workload_identity, credentials, options}} = config)
+       when is_map(credentials) and is_list(options) do
     %{
       "token_url" => token_url,
       "audience" => audience,
@@ -386,7 +391,7 @@ defmodule Goth.Token do
         "audience" => audience,
         "grant_type" => "urn:ietf:params:oauth:grant-type:token-exchange",
         "requested_token_type" => "urn:ietf:params:oauth:token-type:access_token",
-        "scope" => "https://www.googleapis.com/auth/cloud-platform",
+        "scope" => List.first(@default_scopes),
         "subject_token_type" => subject_token_type,
         "subject_token" => subject_token_from_credential_source(credential_source, config)
       })
@@ -440,12 +445,12 @@ defmodule Goth.Token do
 
   defp handle_workload_identity_response(
          {:ok, %{status: 200, body: body}},
-         %{source: {:workload_identity, %{"service_account_impersonation_url" => url}}} = config
+         %{source: {:workload_identity, %{"service_account_impersonation_url" => url}, options}} = config
        ) do
     %{"access_token" => token, "token_type" => type} = Jason.decode!(body)
 
     headers = [{"content-type", "text/json"}, {"Authorization", "#{type} #{token}"}]
-    body = Jason.encode!(%{scope: "https://www.googleapis.com/auth/cloud-platform"})
+    body = Jason.encode!(%{scope: Keyword.get(options, :scopes, @default_scopes)})
     response = request(config.http_client, method: :post, url: url, headers: headers, body: body)
 
     handle_response(response)