Allow setting audience in ServiceAccountCredentials #755
Labels
priority: p3
Desirable enhancement or fix. May not be included in next release.
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Problem:
Trying to use service account credentials to access a Google API from a restricted network. The only external access available is via a reverse proxy configured by the network security team.
There is an endpoint configured to connect to the OAuth2 endpoint, and this can be configured using
ServiceAccountCredentials.Builder.setTokenServerUri
. However, this also changes the audience in the JWT, causing the request to be rejected by the upstream server.Proposed solution:
The simplest solution, I think, is to add extra configuration options to the
ServiceAccountCredentials
and itsBuilder
to allow the audience and token server URI to be set to different values. Then it would be possible to create this in the normal way, then usetoBuilder()
to create a new object with the overidden settings.I think it would make sense to default to still using the same value for audience and URI if the user only sets the URI. This keeps the current behaviour and makes things less confusing in the normal case. If there was an extra option, something like
setOverrideTokenAudience
, and the audience would only be different from the URI if both were set, then this would be fairly simple to achieve.Alternatives:
It is already possible to make this work, by keeping the default token URI, and providing a custom
HttpTransportFactory
which modifies the URI in the request. The problem is that this requires creating many custom classes. Also, I think the intention is much clearer to do this in the credentials layer, rather than messing around in the transport layer.Perhaps there's another way to do this with subclassing or something clever, but many things are not accessible. For example,
ServiceAccountCredentials
has no public or protected constructors, so I don't think this is possible.The text was updated successfully, but these errors were encountered: