feat: Use self-signed JWTs when non-default Universe Domains (#1722)

* feat: Use self-signed JWTs when non-default Universe Domains

* feat: AL-9

* fix: remove unused

Author: d-goog

src/auth/jwtclient.ts

@@ -24,6 +24,7 @@ import {
   OAuth2ClientOptions,
   RequestMetadataResponse,
 } from './oauth2client';
+import {DEFAULT_UNIVERSE} from './authclient';
 
 export interface JWTOptions extends OAuth2ClientOptions {
   email?: string;
@@ -119,7 +120,15 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
     url = this.defaultServicePath ? `https://${this.defaultServicePath}/` : url;
     const useSelfSignedJWT =
       (!this.hasUserScopes() && url) ||
-      (this.useJWTAccessWithScope && this.hasAnyScopes());
+      (this.useJWTAccessWithScope && this.hasAnyScopes()) ||
+      this.universeDomain !== DEFAULT_UNIVERSE;
+
+    if (this.subject && this.universeDomain !== DEFAULT_UNIVERSE) {
+      throw new RangeError(
+        `Service Account user is configured for the credential. Domain-wide delegation is not supported in universes other than ${DEFAULT_UNIVERSE}`
+      );
+    }
+
     if (!this.apiKey && useSelfSignedJWT) {
       if (
         this.additionalClaims &&

test/test.jwt.ts

@@ -1007,6 +1007,72 @@ describe('jwt', () => {
       );
     });
 
+    it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, universeDomain = not default universe', async () => {
+      const stubGetRequestHeaders = sandbox.stub().returns({});
+      const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
+        getRequestHeaders: stubGetRequestHeaders,
+      });
+      const jwt = new JWT({
+        email: '[email protected]',
+        key: fs.readFileSync(PEM_PATH, 'utf8'),
+        scopes: ['scope1', 'scope2'],
+        universeDomain: 'my-universe.com',
+      });
+      jwt.defaultScopes = ['scope1', 'scope2'];
+      await jwt.getRequestHeaders('https//beepboop.googleapis.com');
+      sandbox.assert.calledOnce(stubJWTAccess);
+      sandbox.assert.calledWith(
+        stubGetRequestHeaders,
+        'https//beepboop.googleapis.com',
+        undefined,
+        undefined
+      );
+    });
+
+    it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true, universeDomain = not default universe', async () => {
+      const stubGetRequestHeaders = sandbox.stub().returns({});
+      const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
+        getRequestHeaders: stubGetRequestHeaders,
+      });
+      const jwt = new JWT({
+        email: '[email protected]',
+        key: fs.readFileSync(PEM_PATH, 'utf8'),
+        scopes: ['scope1', 'scope2'],
+        universeDomain: 'my-universe.com',
+      });
+      jwt.useJWTAccessWithScope = true;
+      jwt.defaultScopes = ['scope1', 'scope2'];
+      await jwt.getRequestHeaders('https//beepboop.googleapis.com');
+      sandbox.assert.calledOnce(stubJWTAccess);
+      sandbox.assert.calledWith(
+        stubGetRequestHeaders,
+        'https//beepboop.googleapis.com',
+        undefined,
+        ['scope1', 'scope2']
+      );
+    });
+
+    it('throws on domain-wide delegation on non-default universe', async () => {
+      const stubGetRequestHeaders = sandbox.stub().returns({});
+      sandbox.stub(jwtaccess, 'JWTAccess').returns({
+        getRequestHeaders: stubGetRequestHeaders,
+      });
+      const jwt = new JWT({
+        email: '[email protected]',
+        key: fs.readFileSync(PEM_PATH, 'utf8'),
+        scopes: ['scope1', 'scope2'],
+        subject: '[email protected]',
+        universeDomain: 'my-universe.com',
+      });
+      jwt.useJWTAccessWithScope = true;
+      jwt.defaultScopes = ['scope1', 'scope2'];
+
+      await assert.rejects(
+        () => jwt.getRequestHeaders('https//beepboop.googleapis.com'),
+        /Domain-wide delegation is not supported in universes other than/
+      );
+    });
+
     it('does not use self signed JWT if target_audience provided', async () => {
       const JWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
         getRequestHeaders: sinon.stub().returns({}),