auth: verify information in decoded JWT token instead of comparing hashing values, which involves creds issue and expiration time. (#6137)

auth/build.gradle

@@ -3,7 +3,8 @@ dependencies {
     compile project(':grpc-api'),
             libraries.google_auth_credentials
     testCompile project(':grpc-testing'),
-            libraries.google_auth_oauth2_http
+            libraries.google_auth_oauth2_http,
+            libraries.jwt
     signature "org.codehaus.mojo.signature:java17:1.0@signature"
     signature "net.sf.androidscents.signature:android-api-level-14:4.0_r4@signature"
 }

auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java

@@ -28,13 +28,14 @@ import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.google.auth.Credentials;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.OAuth2Credentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
-import com.google.auth.oauth2.ServiceAccountJwtAccessCredentials;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.LinkedListMultimap;
 import com.google.common.collect.ListMultimap;
@@ -42,7 +43,6 @@ import com.google.common.collect.Multimaps;
 import io.grpc.Attributes;
 import io.grpc.CallCredentials;
 import io.grpc.CallCredentials.MetadataApplier;
-import io.grpc.CallCredentials.RequestInfo;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
 import io.grpc.SecurityLevel;
@@ -393,17 +393,6 @@ public class GoogleAuthLibraryCallCredentialsTest {
   @Test
   public void jwtAccessCredentialsInRequestMetadata() throws Exception {
     KeyPair pair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-    RequestInfo requestInfo = new RequestInfoImpl("example.com:123");
-
-    ServiceAccountJwtAccessCredentials jwtCreds =
-        ServiceAccountJwtAccessCredentials.newBuilder()
-            .setClientId("test-client")
-            .setClientEmail("test-email@example.com")
-            .setPrivateKey(pair.getPrivate())
-            .setPrivateKeyId("test-private-key-id")
-            .build();
-    List<String> expectedAuthMetadata = jwtCreds
-        .getRequestMetadata(new URI("https://example.com:123/a.service")).get("Authorization");
 
     ServiceAccountCredentials credentials =
         ServiceAccountCredentials.newBuilder()
@@ -414,12 +403,18 @@ public class GoogleAuthLibraryCallCredentialsTest {
             .build();
     GoogleAuthLibraryCallCredentials callCredentials =
         new GoogleAuthLibraryCallCredentials(credentials);
-    callCredentials.applyRequestMetadata(requestInfo, executor, applier);
+    callCredentials.applyRequestMetadata(new RequestInfoImpl("example.com:123"), executor, applier);
 
     verify(applier).apply(headersCaptor.capture());
     Metadata headers = headersCaptor.getValue();
-    assertArrayEquals(Iterables.toArray(expectedAuthMetadata, String.class),
+    String token =
-        Iterables.toArray(headers.getAll(AUTHORIZATION), String.class));
+        Iterables.getOnlyElement(headers.getAll(AUTHORIZATION)).substring("Bearer".length());
+    DecodedJWT decoded = JWT.decode(token);
+    assertEquals("test-private-key-id", decoded.getKeyId());
+    assertEquals("https://example.com:123/a.service",
+        Iterables.getOnlyElement(decoded.getAudience()));
+    assertEquals("test-email@example.com", decoded.getIssuer());
+    assertEquals("test-email@example.com", decoded.getSubject());
   }
 
   private int runPendingRunnables() {

build.gradle

@@ -191,6 +191,7 @@ subprojects {
             hpack: 'com.twitter:hpack:0.10.1',
             javax_annotation: 'javax.annotation:javax.annotation-api:1.2',
             jsr305: 'com.google.code.findbugs:jsr305:3.0.2',
+            jwt: 'com.auth0:java-jwt:3.8.2',
             google_api_protos: 'com.google.api.grpc:proto-google-common-protos:1.12.0',
             google_auth_credentials: "com.google.auth:google-auth-library-credentials:${googleauthVersion}",
             google_auth_oauth2_http: "com.google.auth:google-auth-library-oauth2-http:${googleauthVersion}",