feat: Regional Access Boundary Changes

[vverman]

Contains changes for the feature Regional Access Boundary (Previously Called Trust Boundaries).

The following are salient changes:

1. Calls to refresh RAB are now all async and in a separate thread.
2. Logic for refreshing RAB now exists in its own class for cleaner maintenance.
3. Self-signed jwts are within scope.
4. Changes to how we trigger RAB refresh and deal with refresh errors.

[nbayati]

Why this method became public?

[vverman]

I made it so for ease of testing the getRegionalAccessBoundaryUrl logic. For ex: in the base external client we have scenarios where we want to test if the right url is returned or error is thrown in case of workload, workforce or a null audience.

[feywind]

I'd go ahead and put an @private on it, as that will cause it to be omitted from docs, but it will still show up in the transpiled class. Anyone digging in the source can see the @private to know they shouldn't use it.

Actually, it looks like @internal omits it from any exported .d.ts, so that may be enough. I'd double-check the output though, to see what it makes.

[nbayati]

@vverman +1 to using @internal if you can verify that it's omitted from docs and transpiled classes.

[vverman]

While @internal removes it from the type definitions, it doesn't remove it from the transpiled classes aka the .js files since they are needed for the logic to execute at runtime.

However if they are removed from the type definitions i.e. the d.ts type files a user cannot easily discover them as they wouldn't show up in their intellisense.

[feywind]

I don't see anything too weird in this, I guess let me know when you've got one that merges against main?

[feywind]

I'd go ahead and put an @private on it, as that will cause it to be omitted from docs, but it will still show up in the transpiled class. Anyone digging in the source can see the @private to know they shouldn't use it.

Actually, it looks like @internal omits it from any exported .d.ts, so that may be enough. I'd double-check the output though, to see what it makes.

[nbayati]

new URL(url) will throws a TypeError if the url string is a relative URL, or a malformed one.
We need to gracefully handle those cases by assuming they are global.

[nbayati]

@vverman +1 to using @internal if you can verify that it's omitted from docs and transpiled classes.

[nbayati]

idtoken client overrides getRequestMetadataAsync is not returning isIDToken=true.
IIUC, IdTokenClient inherits the default getRegionalAccessBoundaryUrl (which returns null), so RAB lookup happen for idtoken and we won't attach the header anyway, but I think setting this flag explicitly ensures we skip the RAB logic entirely and avoids unnecessary checks and future-proofs against changes in the base classes.

[vverman]

Made the change to IdToken client now passes back isIDtoken flag.

My only concern with this was that implementing a flag to explicitly exclude a client would mean we have to include all the clients like refreshclient (for long living Authorized user workflows).

However considering we're already implementing a flag for id-token I am okay with IdTokenClient explicitly returning a flag.