New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(internaloption): add better support for self-signed JWT #738
Conversation
Added a couple of new internaloptions, WithDefaultAudience and WithDefaultScopes, which will be used to start using self-signed JWTs by default when certain criteria are met: 1. Authenticating with a service account. 2. User does not pass explicitly provide their own scopes. 3. An audience is provided. In the future gapic client will begin to pass these new internaloptions which will enable them to authenticate with with a JWT signed by a service account. This is a non-standard oAuth2 flow, and is an optimization to save an extra network request.
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, or one of your required reviews was not approved. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
1 similar comment
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, or one of your required reviews was not approved. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
This option will be used to generate self-signed JWTs when the client is authenticated with a service account and the user does not provide additional scopes. Also, now marking the generated scopes as default so we can distinguish between generated and user provided scopes. Related: googleapis/google-api-go-client#738
…pis#738) Added a couple of new internaloptions, WithDefaultAudience and WithDefaultScopes, which will be used to start using self-signed JWTs by default when certain criteria are met: 1. Authenticating with a service account. 2. User does not pass explicitly provide their own scopes. 3. An audience is provided. In the future gapic client will begin to pass these new internaloptions which will enable them to authenticate with with a JWT signed by a service account. This is a non-standard oAuth2 flow, and is an optimization to save an extra network request.
@bshaffer @tbpg @codyoss (ds.DefaultAudience != "" || len(ds.Audiences) > 0) The above change appears to be the faulting change. Using Reproducing code: opt := option.WithCredentialsFile("path/to/svc-acc.json")
validator, err := idtoken.NewValidator(ctx, opt)
validator.Validate(ctx, "some-token", "some-audience") The fault happens during |
@bendiknesbo Thanks for the report, I will look into this and get a patch out. |
Added a couple of new internaloptions, WithDefaultAudience and
WithDefaultScopes, which will be used to start using self-signed
JWTs by default when certain criteria are met:
by the user.
In the future gapic clients will begin to pass these new
internaloptions which will enable them to authenticate with with
a JWT signed by a service account. This is a non-standard oAuth2
flow and is an optimization to save an extra network request.