blob: 5a2c5951f06816fcf59a7c69d0a2b8d4106d8a4c [file] [log] [blame]
package luciauth
import (
"context"
luci_auth "go.chromium.org/luci/auth"
"golang.org/x/oauth2"
)
// NewLUCIContextTokenSource creates a new oauth2.TokenSource that uses
// LUCI_CONTEXT to generate tokens. This is the canonical way to obtain tokens
// for a service account tied to a Swarming task, ie. not the default GCE
// service account for a VM, but a service account specified in the task
// request. For more information, see:
// https://github.com/luci/luci-py/blob/master/client/LUCI_CONTEXT.md
//
// Individual scopes need to be specifically allowed by the LUCI token server.
// For this reason, it is recommended to use the compute.CloudPlatform scope.
func NewLUCIContextTokenSource(scopes ...string) (oauth2.TokenSource, error) {
authenticator := luci_auth.NewAuthenticator(context.Background(), luci_auth.SilentLogin, luci_auth.Options{
Method: luci_auth.LUCIContextMethod,
Scopes: append(scopes, luci_auth.OAuthScopeEmail),
})
return authenticator.TokenSource()
}