feat(internaloption): add better support for self-signed JWT #738
Conversation
Added a couple of new internaloptions, WithDefaultAudience and WithDefaultScopes, which will be used to start using self-signed JWTs by default when certain criteria are met: 1. Authenticating with a service account. 2. User does not pass explicitly provide their own scopes. 3. An audience is provided. In the future gapic client will begin to pass these new internaloptions which will enable them to authenticate with with a JWT signed by a service account. This is a non-standard oAuth2 flow, and is an optimization to save an extra network request.
google-cla
bot
added
the
cla: yes
tbpg
added
the
automerge
|
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, or one of your required reviews was not approved. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
1 similar comment
|
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, or one of your required reviews was not approved. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
gcf-merge-on-green
bot
removed
the
automerge
This option will be used to generate self-signed JWTs when the client is authenticated with a service account and the user does not provide additional scopes. Also, now marking the generated scopes as default so we can distinguish between generated and user provided scopes. Related: googleapis/google-api-go-client#738
…pis#738) Added a couple of new internaloptions, WithDefaultAudience and WithDefaultScopes, which will be used to start using self-signed JWTs by default when certain criteria are met: 1. Authenticating with a service account. 2. User does not pass explicitly provide their own scopes. 3. An audience is provided. In the future gapic client will begin to pass these new internaloptions which will enable them to authenticate with with a JWT signed by a service account. This is a non-standard oAuth2 flow, and is an optimization to save an extra network request.
|
@bshaffer @tbpg @codyoss (ds.DefaultAudience != "" || len(ds.Audiences) > 0)The above change appears to be the faulting change. Using Reproducing code: opt := option.WithCredentialsFile("path/to/svc-acc.json")
validator, err := idtoken.NewValidator(ctx, opt)
validator.Validate(ctx, "some-token", "some-audience")The fault happens during |
|
@bendiknesbo Thanks for the report, I will look into this and get a patch out. |
Added a couple of new internaloptions, WithDefaultAudience and
WithDefaultScopes, which will be used to start using self-signed
JWTs by default when certain criteria are met:
by the user.
In the future gapic clients will begin to pass these new
internaloptions which will enable them to authenticate with with
a JWT signed by a service account. This is a non-standard oAuth2
flow and is an optimization to save an extra network request.