Use the new cloud auth library to get access tokens (#173)

Use the new auth library cloud.google.com/go/auth/credentials to obtain ADC, and always request JWT tokens instead of OAuth tokens for service accounts. This enables this cred helper to work across universe domains.

credhelper/helper.go

@@ -19,20 +19,20 @@ for GCR authentication.
 package credhelper
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 
+	cloudcreds "cloud.google.com/go/auth/credentials"
 	"github.com/GoogleCloudPlatform/docker-credential-gcr/v2/auth"
 	"github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config"
 	"github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store"
 	"github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util/cmd"
 	"github.com/docker/docker-credential-helpers/credentials"
-
 	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/google"
 )
 
 // gcrCredHelper implements a credentials.Helper interface backed by a GCR
@@ -146,11 +146,7 @@ func (ch *gcrCredHelper) getGCRAccessToken() (string, error) {
 }
 
 /*
-tokenFromEnv retrieves a gcloud access_token from the environment.
-
-From https://godoc.org/golang.org/x/oauth2/google:
-
-DefaultTokenSource is a token source that uses "Application Default Credentials".
+tokenFromEnv retrieves a JWT access_token from the environment.
 
 It looks for credentials in the following places, preferring the first location found:
 
@@ -165,25 +161,28 @@ It looks for credentials in the following places, preferring the first location
     (In this final case any provided scopes are ignored.)
 */
 func tokenFromEnv() (string, error) {
-	ts, err := google.DefaultTokenSource(config.OAuthHTTPContext, config.GCRScopes...)
+	creds, err := cloudcreds.DetectDefault(&cloudcreds.DetectOptions{
+		Scopes:           config.GCRScopes,
+		UseSelfSignedJWT: true,
+	})
 	if err != nil {
-		return "", err
+		return "", helperErr("failed to detect default credentials", err)
 	}
 
-	token, err := ts.Token()
+	token, err := creds.Token(context.Background())
 	if err != nil {
 		return "", err
 	}
 
-	if !token.Valid() {
+	if !token.IsValid() {
 		return "", helperErr("token was invalid", nil)
 	}
 
-	if token.Type() != "Bearer" {
-		return "", helperErr(fmt.Sprintf("expected token type \"Bearer\" but got \"%s\"", token.Type()), nil)
+	if token.Type != "Bearer" {
+		return "", helperErr(fmt.Sprintf("expected token type \"Bearer\" but got \"%s\"", token.Type), nil)
 	}
 
-	return token.AccessToken, nil
+	return token.Value, nil
 }
 
 // tokenFromGcloudSDK attempts to generate an access_token using the gcloud SDK.

go.mod

@@ -3,24 +3,24 @@ module github.com/GoogleCloudPlatform/docker-credential-gcr/v2
 go 1.21
 
 require (
+	cloud.google.com/go/auth v0.10.0
 	github.com/docker/cli v24.0.5+incompatible
 	github.com/docker/docker-credential-helpers v0.6.4
 	github.com/golang/mock v1.6.0
 	github.com/google/subcommands v1.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/oauth2 v0.22.0
+	golang.org/x/sync v0.8.0
 )
 
 require (
-	cloud.google.com/go/compute v1.1.0 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	github.com/docker/docker v24.0.5+incompatible // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 	gotest.tools/v3 v3.0.3 // indirect
 )