credentials: implement file-based JWT Call Credentials (part 1 for A97) (#8431)

Part one for grpc/proposal#492 (A97). 
This is done in a new `credentials/jwt` package to provide file-based
PerRPCCallCredentials. It can be used beyond XDS. The package handles
token reloading, caching, and validation as per A97 .

There will be a separate PR which uses it in `xds/bootstrap`. 

Whilst implementing the above, I considered `credentials/oauth` and
`credentials/xds` packages instead of creating a new one. The former
package has `NewJWTAccessFromKey` and `jwtAccess` which seem very
relevant at first. However, I think the `jwtAccess` behaviour seems more
tailored towards Google services. Also, the refresh, caching, and error
behaviour for A97 is quite different than what's already there and
therefore a separate implementation would have still made sense.
WRT `credentials/xds`, it could have been extended to both handle
transport and call credentials. However, this is a bit at odds with A97
which says that the implementation should be non-XDS specific and, from
reading between the lines, usable beyond XDS.
I think the current approach makes review easier but because of the
similarities with the other two packages, it is a bit confusing to
navigate. Please let me know whether the structure should change.

Relates to istio/istio#53532

RELEASE NOTES:
- credentials: Add `credentials/jwt` package providing file-based JWT
PerRPCCredentials (A97).

Author: dimpavloff

credentials/jwt/doc.go

@@ -0,0 +1,50 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package jwt implements JWT token file-based call credentials.
+//
+// This package provides support for A97 JWT Call Credentials, allowing gRPC
+// clients to authenticate using JWT tokens read from files. While originally
+// designed for xDS environments, these credentials are general-purpose.
+//
+// The credentials can be used directly in gRPC clients or configured via xDS.
+//
+// # Token Requirements
+//
+// JWT tokens must:
+//   - Be valid, well-formed JWT tokens with header, payload, and signature
+//   - Include an "exp" (expiration) claim
+//   - Be readable from the specified file path
+//
+// # Considerations
+//
+// - Tokens are cached until expiration to avoid excessive file I/O
+// - Transport security is required (RequireTransportSecurity returns true)
+// - Errors in reading tokens or parsing JWTs will result in RPC UNAVAILALBE or
+// UNAUTHENTICATED errors. The errors are cached and retried with exponential
+// backoff.
+//
+// This implementation is originally intended for use in service mesh
+// environments like Istio where JWT tokens are provisioned and rotated by the
+// infrastructure.
+//
+// # Experimental
+//
+// Notice: All APIs in this package are experimental and may be removed in a
+// later release.
+package jwt

credentials/jwt/file_reader.go

@@ -0,0 +1,118 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package jwt
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+var (
+	errTokenFileAccess = errors.New("token file access error")
+	errJWTValidation   = errors.New("invalid JWT")
+)
+
+// jwtClaims represents the JWT claims structure for extracting expiration time.
+type jwtClaims struct {
+	Exp int64 `json:"exp"`
+}
+
+// jwtFileReader handles reading and parsing JWT tokens from files.
+// It is safe to call methods on this type concurrently as no state is stored.
+type jwtFileReader struct {
+	tokenFilePath string
+}
+
+// readToken reads and parses a JWT token from the configured file.
+// Returns the token string, expiration time, and any error encountered.
+func (r *jwtFileReader) readToken() (string, time.Time, error) {
+	tokenBytes, err := os.ReadFile(r.tokenFilePath)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("%v: %w", err, errTokenFileAccess)
+	}
+
+	token := strings.TrimSpace(string(tokenBytes))
+	if token == "" {
+		return "", time.Time{}, fmt.Errorf("token file %q is empty: %w", r.tokenFilePath, errJWTValidation)
+	}
+
+	exp, err := r.extractExpiration(token)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("token file %q: %v: %w", r.tokenFilePath, err, errJWTValidation)
+	}
+
+	return token, exp, nil
+}
+
+const tokenDelim = "."
+
+// extractClaimsRaw returns the JWT's claims part as raw string. Even though the
+// header and signature are not used, it still expects that the input string to
+// be well-formed (ie comprised of exactly three parts, separated by a dot
+// character).
+func extractClaimsRaw(s string) (string, bool) {
+	_, s, ok := strings.Cut(s, tokenDelim)
+	if !ok { // no period found
+		return "", false
+	}
+	claims, s, ok := strings.Cut(s, tokenDelim)
+	if !ok { // only one period found
+		return "", false
+	}
+	_, _, ok = strings.Cut(s, tokenDelim)
+	if ok { // three periods found
+		return "", false
+	}
+	return claims, true
+}
+
+// extractExpiration parses the JWT token to extract the expiration time.
+func (r *jwtFileReader) extractExpiration(token string) (time.Time, error) {
+	claimsRaw, ok := extractClaimsRaw(token)
+	if !ok {
+		return time.Time{}, fmt.Errorf("expected 3 parts in token")
+	}
+	payloadBytes, err := base64.RawURLEncoding.DecodeString(claimsRaw)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("decode error: %v", err)
+	}
+
+	var claims jwtClaims
+	if err := json.Unmarshal(payloadBytes, &claims); err != nil {
+		return time.Time{}, fmt.Errorf("unmarshal error: %v", err)
+	}
+
+	if claims.Exp == 0 {
+		return time.Time{}, fmt.Errorf("no expiration claims")
+	}
+
+	expTime := time.Unix(claims.Exp, 0)
+
+	// Check if token is already expired.
+	if expTime.Before(time.Now()) {
+		return time.Time{}, fmt.Errorf("expired token")
+	}
+
+	return expTime, nil
+}

credentials/jwt/file_reader_test.go

@@ -0,0 +1,172 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package jwt
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+)
+
+func (s) TestJWTFileReader_ReadToken_FileErrors(t *testing.T) {
+	tests := []struct {
+		name     string
+		create   bool
+		contents string
+		wantErr  error
+	}{
+		{
+			name:     "nonexistent_file",
+			create:   false,
+			contents: "",
+			wantErr:  errTokenFileAccess,
+		},
+		{
+			name:     "empty_file",
+			create:   true,
+			contents: "",
+			wantErr:  errJWTValidation,
+		},
+		{
+			name:     "file_with_whitespace_only",
+			create:   true,
+			contents: "   \n\t  ",
+			wantErr:  errJWTValidation,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var tokenFile string
+			if !tt.create {
+				tokenFile = "/does-not-exist"
+			} else {
+				tokenFile = writeTempFile(t, "token", tt.contents)
+			}
+
+			reader := jwtFileReader{tokenFilePath: tokenFile}
+			if _, _, err := reader.readToken(); err == nil {
+				t.Fatal("ReadToken() expected error, got nil")
+			} else if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("ReadToken() error = %v, want error %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func (s) TestJWTFileReader_ReadToken_InvalidJWT(t *testing.T) {
+	now := time.Now().Truncate(time.Second)
+	tests := []struct {
+		name         string
+		tokenContent string
+		wantErr      error
+	}{
+		{
+			name:         "valid_token_without_expiration",
+			tokenContent: createTestJWT(t, time.Time{}),
+			wantErr:      errJWTValidation,
+		},
+		{
+			name:         "expired_token",
+			tokenContent: createTestJWT(t, now.Add(-time.Hour)),
+			wantErr:      errJWTValidation,
+		},
+		{
+			name:         "malformed_JWT_not_enough_parts",
+			tokenContent: "invalid.jwt",
+			wantErr:      errJWTValidation,
+		},
+		{
+			name:         "malformed_JWT_invalid_base64",
+			tokenContent: "header.invalid_base64!@#.signature",
+			wantErr:      errJWTValidation,
+		},
+		{
+			name:         "malformed_JWT_invalid_JSON",
+			tokenContent: createInvalidJWT(t),
+			wantErr:      errJWTValidation,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tokenFile := writeTempFile(t, "token", tt.tokenContent)
+
+			reader := jwtFileReader{tokenFilePath: tokenFile}
+			if _, _, err := reader.readToken(); err == nil {
+				t.Fatal("ReadToken() expected error, got nil")
+			} else if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("ReadToken() error = %v, want error %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func (s) TestJWTFileReader_ReadToken_ValidToken(t *testing.T) {
+	now := time.Now().Truncate(time.Second)
+	tokenExp := now.Add(time.Hour)
+	token := createTestJWT(t, tokenExp)
+	tokenFile := writeTempFile(t, "token", token)
+
+	reader := jwtFileReader{tokenFilePath: tokenFile}
+	readToken, expiry, err := reader.readToken()
+	if err != nil {
+		t.Fatalf("ReadToken() unexpected error: %v", err)
+	}
+
+	if readToken != token {
+		t.Errorf("ReadToken() token = %q, want %q", readToken, token)
+	}
+
+	if !expiry.Equal(tokenExp) {
+		t.Errorf("ReadToken() expiry = %v, want %v", expiry, tokenExp)
+	}
+}
+
+// createInvalidJWT creates a JWT with invalid JSON in the payload.
+func createInvalidJWT(t *testing.T) string {
+	t.Helper()
+
+	header := map[string]any{
+		"typ": "JWT",
+		"alg": "HS256",
+	}
+
+	headerBytes, err := json.Marshal(header)
+	if err != nil {
+		t.Fatalf("Failed to marshal header: %v", err)
+	}
+
+	headerB64 := base64.URLEncoding.EncodeToString(headerBytes)
+	headerB64 = strings.TrimRight(headerB64, "=")
+
+	// Create invalid JSON payload
+	invalidJSON := "invalid json content"
+	payloadB64 := base64.URLEncoding.EncodeToString([]byte(invalidJSON))
+	payloadB64 = strings.TrimRight(payloadB64, "=")
+
+	signature := base64.URLEncoding.EncodeToString([]byte("fake_signature"))
+	signature = strings.TrimRight(signature, "=")
+
+	return fmt.Sprintf("%s.%s.%s", headerB64, payloadB64, signature)
+}