JWT token file call creds

Author: Zgoda91

alts/src/main/java/io/grpc/alts/JwtTokenFileCallCredentials.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.alts;
+
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.OAuth2Credentials;
+import com.google.common.io.Files;
+import io.grpc.CallCredentials;
+import io.grpc.auth.MoreCallCredentials;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+
+/**
+ * JWT token file call credentials.
+ * See gRFC A97 (https://github.com/grpc/proposal/pull/492).
+ */
+public final class JwtTokenFileCallCredentials extends OAuth2Credentials {
+  private String path = null;
+
+  private JwtTokenFileCallCredentials(String path) {
+    this.path = path;
+  }
+
+  @Override
+  public AccessToken refreshAccessToken() throws IOException {
+    String tokenString = new String(Files.toByteArray(new File(path)), StandardCharsets.UTF_8);
+    Long expTime = JsonWebSignature.parse(new GsonFactory(), tokenString)
+        .getPayload()
+        .getExpirationTimeSeconds();
+    if (expTime == null) {
+      throw new IOException("No expiration time found for JWT token");
+    }
+
+    return AccessToken.newBuilder()
+        .setTokenValue(tokenString)
+        .setExpirationTime(new Date(expTime * 1000L))
+        .build();
+  }
+
+  // using {@link MoreCallCredentials} adapter to be compatible with {@link CallCredentials} iface
+  public static CallCredentials create(String path) {
+    JwtTokenFileCallCredentials jwtTokenFileCallCredentials = new JwtTokenFileCallCredentials(path);
+    return MoreCallCredentials.from(jwtTokenFileCallCredentials);
+  }
+}

alts/src/test/java/io/grpc/alts/JwtTokenFileCallCredentialsTest.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.alts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+
+import com.google.auth.oauth2.AccessToken;
+import com.google.common.io.BaseEncoding;
+import com.google.common.truth.Truth;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link JwtTokenFileCallCredentials}. */
+@RunWith(JUnit4.class)
+public class JwtTokenFileCallCredentialsTest {
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
+
+  private File jwtTokenFile;
+  private JwtTokenFileCallCredentials unit;
+
+  @Before
+  public void setUp() throws Exception {
+    jwtTokenFile = tempFolder.newFile(new String("jwt.json"));
+
+    Constructor<JwtTokenFileCallCredentials> ctor =
+        JwtTokenFileCallCredentials.class.getDeclaredConstructor(String.class);
+    ctor.setAccessible(true);
+    unit = ctor.newInstance(jwtTokenFile.toString());
+  }
+
+  private void fillJwtTokenWithoutExpiration(File jwtFile) throws Exception {
+    FileOutputStream outputStream = new FileOutputStream(jwtFile);
+    String content =
+        BaseEncoding.base64().encode(
+            new String("{\"typ\": \"JWT\", \"alg\": \"HS256\"}").getBytes(StandardCharsets.UTF_8))
+        + "."
+        + BaseEncoding.base64().encode(
+            new String("{\"name\": \"Google\"}").getBytes(StandardCharsets.UTF_8))
+        + "."
+        + BaseEncoding.base64().encode(new String("signature").getBytes(StandardCharsets.UTF_8));
+    outputStream.write(content.getBytes(StandardCharsets.UTF_8));
+    outputStream.close();
+  }
+
+  private String fillValidJwtToken(File jwtFile, Long expTime) throws Exception {
+    FileOutputStream outputStream = new FileOutputStream(jwtFile);
+    String content =
+        BaseEncoding.base64().encode(
+            new String("{\"typ\": \"JWT\", \"alg\": \"HS256\"}").getBytes(StandardCharsets.UTF_8))
+        + "."
+        + BaseEncoding.base64().encode(
+            String.format("{\"exp\": %d}", expTime).getBytes(StandardCharsets.UTF_8))
+        + "."
+        + BaseEncoding.base64().encode(new String("signature").getBytes(StandardCharsets.UTF_8));
+    outputStream.write(content.getBytes(StandardCharsets.UTF_8));
+    outputStream.close();
+    return content;
+  }
+
+  @Test
+  public void givenJwtTokenFileEmpty_WhenTokenRefreshed_ExpectException() {
+    assertThrows(IllegalArgumentException.class, () -> {
+      unit.refreshAccessToken();
+    });
+  }
+
+  @Test
+  public void givenJwtTokenFileWithoutExpiration_WhenTokenRefreshed_ExpectException()
+      throws Exception {
+
+    fillJwtTokenWithoutExpiration(jwtTokenFile);
+
+    Exception ex = assertThrows(IOException.class, () -> {
+      unit.refreshAccessToken();
+    });
+
+    String expectedMsg = "No expiration time found for JWT token";
+    String actualMsg = ex.getMessage();
+
+    assertEquals(expectedMsg, actualMsg);
+  }
+
+  @Test
+  public void givenValidJwtTokenFile_WhenTokenRefreshed_ExpectAccessTokenInstance()
+      throws Exception {
+    final Long givenExpTimeInSeconds = 1753364000L;
+    final Date givenExpTimeDate = new Date(givenExpTimeInSeconds * 1000L);
+
+    String givenTokenValue = fillValidJwtToken(jwtTokenFile, givenExpTimeInSeconds);
+
+    AccessToken token = unit.refreshAccessToken();
+
+    Truth.assertThat(token.getExpirationTime()).isEquivalentAccordingToCompareTo(givenExpTimeDate);
+    assertEquals(token.getTokenValue(), givenTokenValue);
+  }
+}

xds/src/main/java/io/grpc/xds/GrpcBootstrapperImpl.java

@@ -18,7 +18,10 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
+import io.grpc.CallCredentials;
 import io.grpc.ChannelCredentials;
+import io.grpc.CompositeCallCredentials;
+import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.JsonUtil;
 import io.grpc.xds.client.BootstrapperImpl;
 import io.grpc.xds.client.XdsInitializationException;
@@ -33,6 +36,8 @@ class GrpcBootstrapperImpl extends BootstrapperImpl {
   private static final String BOOTSTRAP_PATH_SYS_PROPERTY = "io.grpc.xds.bootstrap";
   private static final String BOOTSTRAP_CONFIG_SYS_ENV_VAR = "GRPC_XDS_BOOTSTRAP_CONFIG";
   private static final String BOOTSTRAP_CONFIG_SYS_PROPERTY = "io.grpc.xds.bootstrapConfig";
+  private static final String GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS =
+      "GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS";
   @VisibleForTesting
   String bootstrapPathFromEnvVar = System.getenv(BOOTSTRAP_PATH_SYS_ENV_VAR);
   @VisibleForTesting
@@ -41,6 +46,9 @@ class GrpcBootstrapperImpl extends BootstrapperImpl {
   String bootstrapConfigFromEnvVar = System.getenv(BOOTSTRAP_CONFIG_SYS_ENV_VAR);
   @VisibleForTesting
   String bootstrapConfigFromSysProp = System.getProperty(BOOTSTRAP_CONFIG_SYS_PROPERTY);
+  @VisibleForTesting
+  static boolean xdsBootstrapCallCredsEnabled = GrpcUtil.getFlag(
+      GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS, false);
 
   GrpcBootstrapperImpl() {
     super();
@@ -90,7 +98,7 @@ protected String getJsonContent() throws XdsInitializationException, IOException
   }
 
   @Override
-  protected Object getImplSpecificConfig(Map<String, ?> serverConfig, String serverUri)
+  protected Object getImplSpecificChannelCredConfig(Map<String, ?> serverConfig, String serverUri)
       throws XdsInitializationException {
     return getChannelCredentials(serverConfig, serverUri);
   }
@@ -135,4 +143,58 @@ private static ChannelCredentials parseChannelCredentials(List<Map<String, ?>> j
     }
     return null;
   }
+
+  @Override
+  protected Object getImplSpecificCallCredConfig(Map<String, ?> serverConfig, String serverUri)
+      throws XdsInitializationException {
+    return getCallCredentials(serverConfig, serverUri);
+  }
+
+  private static CallCredentials getCallCredentials(Map<String, ?> serverConfig,
+                                                    String serverUri)
+      throws XdsInitializationException {
+    List<?> rawCallCredsList = JsonUtil.getList(serverConfig, "call_creds");
+    if (rawCallCredsList == null || rawCallCredsList.isEmpty()) {
+      return null;
+    }
+    CallCredentials callCredentials =
+        parseCallCredentials(JsonUtil.checkObjectList(rawCallCredsList), serverUri);
+    return callCredentials;
+  }
+
+  @Nullable
+  private static CallCredentials parseCallCredentials(List<Map<String, ?>> jsonList,
+                                                      String serverUri)
+      throws XdsInitializationException {
+    CallCredentials callCredentials = null;
+    if (xdsBootstrapCallCredsEnabled) {
+      for (Map<String, ?> callCreds : jsonList) {
+        String type = JsonUtil.getString(callCreds, "type");
+        if (type != null) {
+          XdsCredentialsProvider provider =  XdsCredentialsRegistry.getDefaultRegistry()
+              .getProvider(type);
+          if (provider != null) {
+            Map<String, ?> config = JsonUtil.getObject(callCreds, "config");
+            if (config == null) {
+              config = ImmutableMap.of();
+            }
+            CallCredentials parsedCallCredentials = provider.newCallCredentials(config);
+            if (parsedCallCredentials == null) {
+              throw new XdsInitializationException(
+                  "Invalid bootstrap: server " + serverUri + " with invalid 'config' for " + type
+                  + " 'call_creds'");
+            }
+
+            if (callCredentials == null) {
+              callCredentials = parsedCallCredentials;
+            } else {
+              callCredentials = new CompositeCallCredentials(
+                  callCredentials, parsedCallCredentials);
+            }
+          }
+        }
+      }
+    }
+    return callCredentials;
+  }
 }

xds/src/main/java/io/grpc/xds/GrpcXdsTransportFactory.java

@@ -23,6 +23,8 @@
 import io.grpc.CallOptions;
 import io.grpc.ChannelCredentials;
 import io.grpc.ClientCall;
+import io.grpc.CompositeCallCredentials;
+import io.grpc.CompositeChannelCredentials;
 import io.grpc.Context;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
@@ -68,11 +70,26 @@ public GrpcXdsTransport(ManagedChannel channel) {
 
     public GrpcXdsTransport(Bootstrapper.ServerInfo serverInfo, CallCredentials callCredentials) {
       String target = serverInfo.target();
-      ChannelCredentials channelCredentials = (ChannelCredentials) serverInfo.implSpecificConfig();
+      ChannelCredentials channelCredentials =
+          (ChannelCredentials) serverInfo.implSpecificChannelCredConfig();
+      Object callCredConfig = serverInfo.implSpecificCallCredConfig();
+      if (callCredConfig != null) {
+        channelCredentials = CompositeChannelCredentials.create(
+          channelCredentials, (CallCredentials) callCredConfig);
+      }
+
       this.channel = Grpc.newChannelBuilder(target, channelCredentials)
           .keepAliveTime(5, TimeUnit.MINUTES)
           .build();
-      this.callCredentials = callCredentials;
+
+      if (callCredentials != null && callCredConfig != null) {
+        this.callCredentials =
+            new CompositeCallCredentials(callCredentials, (CallCredentials) callCredConfig);
+      } else if (callCredConfig != null) {
+        this.callCredentials = (CallCredentials) callCredConfig;
+      } else {
+        this.callCredentials = callCredentials;
+      }
     }
 
     @VisibleForTesting

xds/src/main/java/io/grpc/xds/XdsCredentialsProvider.java

@@ -16,6 +16,7 @@
 
 package io.grpc.xds;
 
+import io.grpc.CallCredentials;
 import io.grpc.ChannelCredentials;
 import io.grpc.Internal;
 import java.util.Map;
@@ -49,6 +50,17 @@ public abstract class XdsCredentialsProvider {
   */
   protected abstract ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig);
 
+  /**
+  * Creates a {@link CallCredentials} from the given jsonConfig, or
+  * {@code null} if the given config is invalid. The provider is free to ignore
+  * the config if it's not needed for producing the channel credentials.
+  *
+  * @param jsonConfig json config that can be consumed by the provider to create
+  *                   the channel credentials
+  *
+  */
+  protected abstract CallCredentials newCallCredentials(Map<String, ?> jsonConfig);
+
   /**
    * Returns the xDS credential name associated with this provider which makes it selectable
    * via {@link XdsCredentialsRegistry#getProvider}. This is called only when the class is loaded.

xds/src/main/java/io/grpc/xds/XdsCredentialsRegistry.java

@@ -114,7 +114,7 @@ public static synchronized XdsCredentialsRegistry getDefaultRegistry() {
               new XdsCredentialsProviderPriorityAccessor());
       if (providerList.isEmpty()) {
         logger.warning("No XdsCredsRegistry found via ServiceLoader, including for GoogleDefault, "
-            + "TLS and Insecure. This is probably due to a broken build.");
+            + "TLS, Insecure and JWT token file. This is probably due to a broken build.");
       }
       instance = new XdsCredentialsRegistry();
       for (XdsCredentialsProvider provider : providerList) {
@@ -170,7 +170,13 @@ static List<Class<?>> getHardCodedClasses() {
     } catch (ClassNotFoundException e) {
       logger.log(Level.WARNING, "Unable to find TlsXdsCredentialsProvider", e);
     }
-      
+
+    try {
+      list.add(Class.forName("io.grpc.xds.internal.JwtTokenFileXdsCredentialsProvider"));
+    } catch (ClassNotFoundException e) {
+      logger.log(Level.WARNING, "Unable to find JwtTokenFileXdsCredentialsProvider", e);
+    }
+
     return Collections.unmodifiableList(list);
   }