|
| 1 | +# Cloud AgentSpace and Discovery API with Domain-Wide Delegation (DWD) |
| 2 | + |
| 3 | +This project demonstrates how to authenticate and interact with Google Cloud's AgentSpace and Discovery Engine API using Domain-Wide Delegation (DWD) to impersonate a user. This approach is particularly useful when you need to perform actions on behalf of a specific user within your organization, leveraging the security and control provided by DWD. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +The `OauthApplication.java` class showcases the following key functionalities: |
| 8 | + |
| 9 | +1. **Generating a Signed JWT:** It uses the Google IAM Credentials API to create a signed JSON Web Token (JWT) that asserts the identity of a user. |
| 10 | +2. **Exchanging JWT for Access Token:** It exchanges the signed JWT for an OAuth 2.0 access token from Google's OAuth 2.0 token endpoint. |
| 11 | +3. **Authenticating with Discovery Engine:** It uses the obtained access token to authenticate with the Discovery Engine API. |
| 12 | +4. **Performing a Search:** It executes a sample search query against a configured Discovery Engine data store. |
| 13 | + |
| 14 | +## Prerequisites |
| 15 | + |
| 16 | +Before running this project, ensure you have the following: |
| 17 | + |
| 18 | +* **Google Cloud Project:** A Google Cloud project with the Discovery Engine API enabled. |
| 19 | +* **Service Account:** A service account with the necessary permissions to access the Discovery Engine API and the IAM Credentials API. |
| 20 | +* **Domain-Wide Delegation:** Domain-Wide Delegation configured for the service account. |
| 21 | +* **Discovery Engine Data Store:** A data store created in Discovery Engine. |
| 22 | +* **Java Development Kit (JDK):** JDK 11 or higher. |
| 23 | +* **Maven:** For building and managing project dependencies. |
| 24 | +* **Google Cloud SDK (gcloud):** For interacting with Google Cloud services from the command line. |
| 25 | + |
| 26 | +## Configuration |
| 27 | + |
| 28 | +You'll need to configure the following parameters in the `OauthApplication.java` file: |
| 29 | + |
| 30 | +* `projectId`: Your Google Cloud project ID. |
| 31 | +* `location`: The location of your Discovery Engine data store (e.g., "global", "us", "eu"). |
| 32 | +* `collectionId`: The ID of the collection containing your data store (usually "default_collection"). |
| 33 | +* `engineId`: The ID of your Discovery Engine search engine. |
| 34 | +* `servingConfigId`: The ID of the serving configuration (usually "default_search"). |
| 35 | +* `searchUserEmail`: The email address of the user you want to impersonate. |
| 36 | +* `serviceAccountId`: The email address of the service account with DWD enabled. |
| 37 | +* `searchQuery`: The search query you want to execute. |
| 38 | + |
| 39 | +```java |
| 40 | + String projectId = "your-project-id"; // Project ID . |
| 41 | + String location = "global"; // Location of data store. Options: "global", "us", "eu" |
| 42 | + String collectionId = "default_collection"; // Collection containing the data store. |
| 43 | + String engineId = "your-engine-id"; // Engine ID. |
| 44 | + String servingConfigId = "default_search"; // Serving configuration. Options: "default_search" |
| 45 | + String searchUserEmail = "[email protected]"; // Email-id of the user to impersonate |
| 46 | + String serviceAccountId = "[email protected]"; // Service account with the permission on the WIF |
| 47 | + |
| 48 | + String searchQuery = "Sample Search Query"; // Search Query for the data store. |
| 49 | +``` |
| 50 | + |
| 51 | +## How It Works |
| 52 | + |
| 53 | +This project utilizes a series of steps to authenticate and perform searches using Domain-Wide Delegation. Here's a breakdown of the process: |
| 54 | + |
| 55 | +1. **JWT Generation:** The `generateSingedJwt()` method is responsible for creating a JSON Web Token (JWT). This JWT includes claims that identify both the user to be impersonated (`sub` claim) and the service account performing the impersonation (`iss` claim). |
| 56 | +2. **Token Exchange:** The `getAccessToken()` method takes the signed JWT and exchanges it for an OAuth 2.0 access token. This exchange occurs by sending the JWT to Google's OAuth 2.0 token endpoint. |
| 57 | +3. **Credential Creation:** The `generateCredentials()` method then takes the newly acquired access token and constructs OAuth 2.0 credentials that can be used for authentication. |
| 58 | +4. **Search Execution:** Finally, the `search()` method uses these credentials to instantiate a `SearchServiceClient`. This client is then used to execute a search request against the configured Discovery Engine. |
| 59 | + |
| 60 | + |
| 61 | +## Building and Running |
| 62 | + |
| 63 | +These instructions will guide you through the process of building and running the application. |
| 64 | + |
| 65 | +### Cloning the Repository |
| 66 | + |
| 67 | +1. Clone the repository to your local machine using Git: |
| 68 | + |
| 69 | + ```bash |
| 70 | + git clone <repository-url> |
| 71 | + ``` |
| 72 | + |
| 73 | +2. Navigate to the project directory: |
| 74 | + |
| 75 | + ```bash |
| 76 | + cd <project-directory> |
| 77 | + ``` |
| 78 | + |
| 79 | +### Building the Project |
| 80 | + |
| 81 | +1. Build the project using Maven: |
| 82 | + |
| 83 | + ```bash |
| 84 | + mvn clean install |
| 85 | + ``` |
| 86 | + |
| 87 | +### Running the Application |
| 88 | + |
| 89 | +1. Execute the application using the Maven `exec` plugin: |
| 90 | + |
| 91 | + ```bash |
| 92 | + mvn exec:java -Dexec.mainClass="com.google.cloud.pso.OauthApplication" |
| 93 | + ``` |
| 94 | + |
| 95 | +## Testing |
| 96 | +The OauthApplicationTest.java file contains unit tests to verify the functionality of the OauthApplication class. You can run the tests using Maven: |
| 97 | + |
| 98 | +```bash |
| 99 | +mvn test |
| 100 | +``` |
0 commit comments