feat: allow scopes for self signed jwt #689

arithmetic1728 · 2021-06-22T07:08:13Z

This PR allows self signed jwt to use scopes.
AIP: https://google.aip.dev/auth/4111
googlers see: go/yoshi-self-signed-jwt-phase-2

In ServiceAccountCredentials, this PR now uses JwtCredentials instead of ServiceAccountJwtCredentials. As a result, this PR reverted the changes made to ServiceAccountJwtCredentials in #572 #642 so the ServiceAccountJwtCredentials is the same as what it was before phrase 1.

The current behavior for ServiceAccountCredentials is:

if (hasScopes):
    if (useJwtAccessWithScope):
        // create a self signed JWT with "scope" set to the scope
    else:
        // call oauth token endpoint
else:
        // create a self signed JWT with modified uri as the audience

Follow up PRs:
(1) gax-java: googleapis/gax-java#1420
(2) gapic-generator-java: it will be a very simple change, same as https://github.com/arithmetic1728/java-kms/pull/2/files. Since Gapic clients will always sets scopes, once self signed JWT is enabled in the future, it will always use self signed JWT with scope claim.

This PR has been tested with cloudkms: https://github.com/arithmetic1728/java-kms/pull/2/files

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java

oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java

…oundaries (#698) * feat: Adding functional tests for Service Account (#685) ServiceAccountCredentials tests for 4110 * feat: allow scopes for self signed jwt (#689) * feat: self signed jwt support * update * address comments * allow to use uri as audience * address comments * chore: release 0.27.0 (#678) :robot: I have created a release \*beep\* \*boop\* --- ## [0.27.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.26.0...v0.27.0) (2021-07-14) ### Features * add Id token support for UserCredentials ([#650](https://www.github.com/googleapis/google-auth-library-java/issues/650)) ([5a8f467](https://www.github.com/googleapis/google-auth-library-java/commit/5a8f4676630854c53aa708a9c8b960770067f858)) * add impersonation credentials to ADC ([#613](https://www.github.com/googleapis/google-auth-library-java/issues/613)) ([b9823f7](https://www.github.com/googleapis/google-auth-library-java/commit/b9823f70d7f3f7461b7de40bee06f5e7ba0e797c)) * Adding functional tests for Service Account ([#685](https://www.github.com/googleapis/google-auth-library-java/issues/685)) ([dfe118c](https://www.github.com/googleapis/google-auth-library-java/commit/dfe118c261aadf137a3cf47a7acb9892c7a6db4d)) * allow scopes for self signed jwt ([#689](https://www.github.com/googleapis/google-auth-library-java/issues/689)) ([f4980c7](https://www.github.com/googleapis/google-auth-library-java/commit/f4980c77566bbd5ef4c532acb199d7d484dbcd01)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). * test: adds integration tests for downscoping with credential access boundaries Co-authored-by: Timur Sadykov <stim@google.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

…s_in (#699) * feat: Adding functional tests for Service Account (#685) ServiceAccountCredentials tests for 4110 * feat: allow scopes for self signed jwt (#689) * feat: self signed jwt support * update * address comments * allow to use uri as audience * address comments * chore: release 0.27.0 (#678) :robot: I have created a release \*beep\* \*boop\* --- ## [0.27.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.26.0...v0.27.0) (2021-07-14) ### Features * add Id token support for UserCredentials ([#650](https://www.github.com/googleapis/google-auth-library-java/issues/650)) ([5a8f467](https://www.github.com/googleapis/google-auth-library-java/commit/5a8f4676630854c53aa708a9c8b960770067f858)) * add impersonation credentials to ADC ([#613](https://www.github.com/googleapis/google-auth-library-java/issues/613)) ([b9823f7](https://www.github.com/googleapis/google-auth-library-java/commit/b9823f70d7f3f7461b7de40bee06f5e7ba0e797c)) * Adding functional tests for Service Account ([#685](https://www.github.com/googleapis/google-auth-library-java/issues/685)) ([dfe118c](https://www.github.com/googleapis/google-auth-library-java/commit/dfe118c261aadf137a3cf47a7acb9892c7a6db4d)) * allow scopes for self signed jwt ([#689](https://www.github.com/googleapis/google-auth-library-java/issues/689)) ([f4980c7](https://www.github.com/googleapis/google-auth-library-java/commit/f4980c77566bbd5ef4c532acb199d7d484dbcd01)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). * test: adds integration tests for downscoping with credential access boundaries * fix: STS does not always return expires_in, fallback to source credential expiration for DownscopedCredentials * fix: review Co-authored-by: Timur Sadykov <stim@google.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Jun 22, 2021

TimurSadykov self-requested a review June 24, 2021 20:31

arithmetic1728 force-pushed the self_signed_jwt branch from 3aa63b8 to a974cbe Compare June 28, 2021 23:50

feat: self signed jwt support

5c90934

arithmetic1728 force-pushed the self_signed_jwt branch from a974cbe to 5c90934 Compare June 29, 2021 19:12

update

25aaafd

arithmetic1728 marked this pull request as ready for review June 29, 2021 20:43

arithmetic1728 requested a review from a team as a code owner June 29, 2021 20:43

arithmetic1728 requested review from bshaffer and Neenu1995 June 29, 2021 20:58

Neenu1995 approved these changes Jun 30, 2021

View reviewed changes

TimurSadykov requested changes Jul 8, 2021

View reviewed changes

arithmetic1728 and others added 2 commits July 8, 2021 15:12

address comments

f3a9b09

Merge branch 'master' into self_signed_jwt

9273ff3

arithmetic1728 force-pushed the self_signed_jwt branch from bcf9304 to 9273ff3 Compare July 8, 2021 22:46

TimurSadykov reviewed Jul 9, 2021

View reviewed changes

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java Outdated Show resolved Hide resolved

arithmetic1728 force-pushed the self_signed_jwt branch from b09cef0 to 0382367 Compare July 12, 2021 23:32

allow to use uri as audience

c3f9740

arithmetic1728 force-pushed the self_signed_jwt branch from 0382367 to c3f9740 Compare July 12, 2021 23:40

TimurSadykov requested changes Jul 13, 2021

View reviewed changes

address comments

b3a62d7

TimurSadykov approved these changes Jul 14, 2021

View reviewed changes

arithmetic1728 merged commit f4980c7 into master Jul 14, 2021

arithmetic1728 deleted the self_signed_jwt branch July 14, 2021 05:20

release-please bot mentioned this pull request Jan 4, 2022

chore(main): release google-auth-library-java 1.0.0 #819

Closed

release-please bot mentioned this pull request Aug 11, 2022

chore(main): release 1.11.0 #974

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: allow scopes for self signed jwt #689

feat: allow scopes for self signed jwt #689

arithmetic1728 commented Jun 22, 2021 •

edited

feat: allow scopes for self signed jwt #689

feat: allow scopes for self signed jwt #689

Conversation

arithmetic1728 commented Jun 22, 2021 • edited

arithmetic1728 commented Jun 22, 2021 •

edited