Add support for additional JWT claims (#180)

* Add support for additional JWT claims.

* Add IAP Service Acount sample, and update a few others

Author: Eric Koleda

samples/CloudIAPServiceAccount.gs

@@ -0,0 +1,66 @@
+/**
+ * This sample demonstrates how to connect to an application protected by Google
+ * Cloud's Identity-Aware Proxy (IAP), using a service account.
+ * @see https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account
+ */
+
+// A client ID and secret created for this script. It must be in the same Cloud
+// Console project as the IAP-secured application.
+var PRIVATE_KEY =
+    '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n';
+var CLIENT_EMAIL = '...';
+
+// The OAuth client created automatically when you enabled IAP on your
+// applicaiton. Can be found by clicking "Edit OAuth Client" in the IAP
+// interface.
+var IAP_CLIENT_ID = '...';
+
+// A URL endpoint for your IAP-secured application.
+var IAP_URL = '...';
+
+/**
+ * Authorizes and makes a request to an endpoint protected by the Cloud
+ * Identity-Aware Proxy.
+ */
+function run() {
+  var service = getService();
+  if (service.hasAccess()) {
+    var response = UrlFetchApp.fetch(IAP_URL, {
+      headers: {
+        // As per the IAP documentation, use the id_token, not the access_token,
+        // to authorize the request.
+        Authorization: 'Bearer ' + service.getToken().id_token
+      }
+    });
+    var result = response.getContentText();
+    Logger.log(JSON.stringify(result, null, 2));
+  } else {
+    Logger.log(service.getLastError());
+  }
+}
+
+/**
+ * Reset the authorization state, so that it can be re-tested.
+ */
+function reset() {
+  getService().reset();
+}
+
+/**
+ * Configures the service.
+ */
+function getService() {
+  return OAuth2.createService('CloudIAPServiceAccount')
+      // Set the endpoint URL.
+      .setTokenUrl('https://accounts.google.com/o/oauth2/token')
+
+      // Set the private key and issuer.
+      .setPrivateKey(PRIVATE_KEY)
+      .setIssuer(CLIENT_EMAIL)
+      .setAdditionalClaims({
+        target_audience: IAP_CLIENT_ID
+      })
+
+      // Set the property store where authorized tokens should be persisted.
+      .setPropertyStore(PropertiesService.getScriptProperties());
+}

samples/GooglePlus.gs samples/Google.gssamples/GooglePlus.gs renamed to samples/Google.gs

@@ -1,13 +1,19 @@
+/*
+ * This sample demonstrates how to configure the library for Google APIs, using
+ * end-user authorization (Web Server flow).
+ * https://developers.google.com/identity/protocols/OAuth2WebServer
+ */
+
 var CLIENT_ID = '...';
 var CLIENT_SECRET = '...';
 
 /**
- * Authorizes and makes a request to the Google+ API.
+ * Authorizes and makes a request to the Google Drive API.
  */
 function run() {
   var service = getService();
   if (service.hasAccess()) {
-    var url = 'https://www.googleapis.com/plus/v1/people/me';
+    var url = 'https://www.googleapis.com/drive/v3/files?pageSize=1';
     var response = UrlFetchApp.fetch(url, {
       headers: {
         Authorization: 'Bearer ' + service.getAccessToken()
@@ -33,7 +39,7 @@ function reset() {
  * Configures the service.
  */
 function getService() {
-  return OAuth2.createService('GooglePlus')
+  return OAuth2.createService('Google')
       // Set the endpoint URLs.
       .setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
       .setTokenUrl('https://accounts.google.com/o/oauth2/token')
@@ -50,7 +56,7 @@ function getService() {
       .setPropertyStore(PropertiesService.getUserProperties())
 
       // Set the scope and additional Google-specific parameters.
-      .setScope('profile')
+      .setScope('https://www.googleapis.com/auth/drive')
       .setParam('access_type', 'offline')
       .setParam('approval_prompt', 'force')
       .setParam('login_hint', Session.getActiveUser().getEmail());

samples/GoogleServiceAccount.gs

@@ -1,15 +1,24 @@
+/*
+ * This sample demonstrates how to configure the library for Google APIs, using
+ * domain-wide delegation (Service Account flow).
+ * https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
+ */
+
+// Private key and client email of the service account.
 var PRIVATE_KEY =
     '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n';
 var CLIENT_EMAIL = '...';
+
+// Email address of the user to impersonate.
 var USER_EMAIL = '...';
 
 /**
- * Authorizes and makes a request to the Google+ API.
+ * Authorizes and makes a request to the Google Drive API.
  */
 function run() {
   var service = getService();
   if (service.hasAccess()) {
-    var url = 'https://www.googleapis.com/drive/v2/files?pageSize=1';
+    var url = 'https://www.googleapis.com/drive/v3/files?pageSize=1';
     var response = UrlFetchApp.fetch(url, {
       headers: {
         Authorization: 'Bearer ' + service.getAccessToken()

src/Service.js

@@ -265,6 +265,17 @@ Service_.prototype.setIssuer = function(issuer) {
   return this;
 };
 
+/**
+ * Sets additional JWT claims to use for Service Account authorization.
+ * @param {Object.<string,string>} additionalClaims The additional claims, as
+ *     key-value pairs.
+ * @return {Service_} This service, for chaining.
+ */
+Service_.prototype.setAdditionalClaims = function(additionalClaims) {
+  this.additionalClaims_ = additionalClaims;
+  return this;
+};
+
 /**
  * Sets the subject (sub) value to use for Service Account authorization.
  * @param {string} subject This subject value
@@ -696,6 +707,12 @@ Service_.prototype.createJwt_ = function() {
   if (this.params_.scope) {
     claimSet.scope = this.params_.scope;
   }
+  if (this.additionalClaims_) {
+    var additionalClaims = this.additionalClaims_;
+    Object.keys(additionalClaims).forEach(function(key) {
+      claimSet[key] = additionalClaims[key];
+    });
+  }
   var toSign = Utilities.base64EncodeWebSafe(JSON.stringify(header)) + '.' +
       Utilities.base64EncodeWebSafe(JSON.stringify(claimSet));
   var signatureBytes =