Support direct workload identity federation and more credential_source options

lib/goth/token.ex

@@ -390,7 +390,20 @@ defmodule Goth.Token do
     {url, audience}
   end
 
-  defp subject_token_from_credential_source(%{"file" => file, "format" => %{"type" => "text"}}) do
+  defp subject_token_from_credential_source(%{"file" => file, "format" => format}) do
+    binary = File.read!(file)
+
+    case format do
+      %{"type" => "text"} ->
+        binary
+
+      %{"type" => "json", "subject_token_field_name" => field} ->
+        binary |> Jason.decode!() |> Map.fetch!(field)
+    end
+  end
+
+  # the default file type if not specified is "text"
+  defp subject_token_from_credential_source(%{"file" => file}) do
     File.read!(file)
   end
 
@@ -402,9 +415,8 @@ defmodule Goth.Token do
 
   defp handle_workload_identity_response(
          {:ok, %{status: 200, body: body}},
-         %{source: {:workload_identity, credentials}} = config
+         %{source: {:workload_identity, %{"service_account_impersonation_url" => url}}} = config
        ) do
-    url = Map.get(credentials, "service_account_impersonation_url")
     %{"access_token" => token, "token_type" => type} = Jason.decode!(body)
 
     headers = [{"content-type", "text/json"}, {"Authorization", "#{type} #{token}"}]

test/data/test-credentials-direct-workload-identity-json.json

@@ -0,0 +1,13 @@
+{
+  "audience": "//iam.googleapis.com/projects/my-project/locations/global/workloadIdentityPools/my-cluster/providers/my-provider",
+  "credential_source": {
+    "file": "test/data/workload-identity-token.json",
+    "format": {
+      "type": "json",
+      "subject_token_field_name": "token"
+    }
+  },
+  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "type": "external_account"
+}

test/data/test-credentials-direct-workload-identity.json

@@ -0,0 +1,9 @@
+{
+  "audience": "//iam.googleapis.com/projects/my-project/locations/global/workloadIdentityPools/my-cluster/providers/my-provider",
+  "credential_source": {
+    "file": "test/data/workload-identity-token"
+  },
+  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "type": "external_account"
+}

test/data/workload-identity-token.json

@@ -0,0 +1,3 @@
+{
+  "token": "workload-identity-token"
+}

test/goth/token_test.exs

@@ -228,6 +228,54 @@ defmodule Goth.TokenTest do
     assert token.scope == nil
   end
 
+  test "fetch/1 from direct workload identity" do
+    token_bypass = Bypass.open()
+
+    Bypass.expect(token_bypass, fn conn ->
+      assert conn.request_path == "/v1/token"
+
+      body = ~s|{"access_token":"dummy","expires_in":599,"token_type":"Bearer"}|
+      Plug.Conn.resp(conn, 200, body)
+    end)
+
+    credentials =
+      File.read!("test/data/test-credentials-direct-workload-identity.json")
+      |> Jason.decode!()
+      |> Map.put("token_url", "http://localhost:#{token_bypass.port}/v1/token")
+
+    config = %{
+      source: {:workload_identity, credentials}
+    }
+
+    {:ok, token} = Goth.Token.fetch(config)
+    assert token.token == "dummy"
+    assert token.scope == nil
+  end
+
+  test "fetch/1 from direct workload identity, json format" do
+    token_bypass = Bypass.open()
+
+    Bypass.expect(token_bypass, fn conn ->
+      assert conn.request_path == "/v1/token"
+
+      body = ~s|{"access_token":"dummy","expires_in":599,"token_type":"Bearer"}|
+      Plug.Conn.resp(conn, 200, body)
+    end)
+
+    credentials =
+      File.read!("test/data/test-credentials-direct-workload-identity-json.json")
+      |> Jason.decode!()
+      |> Map.put("token_url", "http://localhost:#{token_bypass.port}/v1/token")
+
+    config = %{
+      source: {:workload_identity, credentials}
+    }
+
+    {:ok, token} = Goth.Token.fetch(config)
+    assert token.token == "dummy"
+    assert token.scope == nil
+  end
+
   defp random_service_account_credentials do
     %{
       "private_key" => random_private_key(),