…#594)

This defines internal utilities to handle:
- OAuth client authentication
- Standard OAuth error response parsing into OAuthError exception.

* refactor: split 'with_quota_project' into separate base class (#561)
* feat: implements the OAuth token exchange spec based on rfc8693

…ss for external_account credentials (#603)

…ount.Credentials` (#605)


If the `service_account_impersonation_url` is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed.

This is needed because many Google Cloud services do not yet support external account GCP access tokens.

In order to support service account impersonations, we depend on `google.auth.impersonated_credentials.Credentials` which has been extended to accept an override of the IAM `GenerateAccessToken endpoint`. This is useful when supporting impersonation with regional endpoints.

Syncs the BYOID branch to master.

No additional changes added.

…d Azure workloads (#617)

Implements the AWS signature version 4 for signing requests based on:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

It will be used to generate signed requests to AWS GetCallerIdentity API.
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

This API is used to securely return details about the IAM user or role whose
credentials are used to call the operation.

The majority of the test cases are using the AWS SDK test fixtures.

)

This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows:

- Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`.
- Check AWS credentials in environment variables:
  - `AWS_ACCESS_KEY_ID`
  - `AWS_SECRET_ACCESS_KEY`
  - `AWS_SESSION_TOKEN`.

  If not found, get from AWS metadata server `security-credentials` endpoint.
- Get AWS credentials from AWS metadata server `security-credentials` endpoint.
  In order to retrieve this, the AWS role needs to be determined by calling
  `security-credentials` endpoint without any argument. Then the
  credentials can be retrieved via: `security-credentials/role_name`
- Generate the signed request to AWS STS `GetCallerIdentity` action.
- Inject `x-goog-cloud-target-resource` into reformatted header and serialize the
  signed request. This will be the subject-token to pass to GCP STS.

* refactor: split 'with_quota_project' into separate base class (#561)

Co-authored-by: Tres Seaver <tseaver@palladion.com>

* fix: dummy commit to trigger a auto release (#597)

* chore: release 1.21.1 (#599)

* chore: updated CHANGELOG.md [ci skip]

* chore: updated setup.cfg [ci skip]

* chore: updated setup.py

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: migrate signBlob to iamcredentials.googleapis.com (#600)

Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.

This API is deprecated and will be shutdown in one year.

This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.

* chore: release 1.21.2 (#601)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: fix expiry for `to_json()` (#589)

* This patch for </issues/501> includes the following fixes:

- The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file.
- For refresh needs, `expiry` also needs to be saved via `to_json()`.
    - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency.
    - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported.
    - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place.
- Minor `scopes` updates
    - DUMP: Add property for `scopes` so `to_json()` can grab it
    - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.

* chore: add default CODEOWNERS (#609)

* chore: release 1.21.3 (#607)

* feat: add asyncio based auth flow (#612)

* feat: asyncio http request logic and asynchronous credentials logic  (#572)

Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>

* chore: release 1.22.0 (#615)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: move aiohttp to extra as it is currently internal surface (#619)

Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth.

This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.

* chore: release 1.22.1 (#620)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: remove checks for ancient versions of Cryptography (#596)

Refs #595 (comment) 

I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.

* chore: sync to master

Syncs to master.
Fixes broken unit tests in Python 3.6 and 3.7.
Aligns test_identity_pool.py with test_aws.py.

Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
Co-authored-by: Tres Seaver <tseaver@palladion.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: wesley chun <wescpy@gmail.com>
Co-authored-by: Christopher Wilcox <crwilcox@google.com>
Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>
Co-authored-by: Aarni Koskela <akx@iki.fi>

…redentials (#631)

This is introduced to support the current pattern of using the Auth library:

`credentials, project_id = google.auth.default()`

This will be added to the project ID determination logic:

https://github.com/googleapis/google-auth-library-python/blob/3b3172ef94c110c81a49bc160123e8ff55141e65/google/auth/_default.py#L338

This will first determine the project number from the STS audience:
`//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...`

It will then call cloud resource manager to determine the project information:
https://cloudresourcemanager.googleapis.com/v1/projects/$PROJECT_NUMBER

This may fail for the following reasons:

- The resource may not have permission (resourcemanager.projects.get) to call this API
- Required scopes may not be selected:
  https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

To reduce cost of this API, we will fail quickly and not retry and we will use scopes provided as is.

…auth.load_credentials_from_file()` (#635)

- Adds implicit ADC support for external account credentials via `google.auth.default()`.
- Adds explicit support for external account credentials via `google.auth.load_credentials_from_file()`.
- Adds optional `google.auth.transport.Request` argument to `load_credentials_from_file` to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by `_get_gce_credentials` method.
- Related comprehensive unit tests have been added to only the public methods (`default()` and `load_credentials_from_file()`).
- Updated constructor invalid argument exceptions for `google.auth.identity_pool.Credentials` and `google.auth.aws.Credentials` to be `ValueError` instead of `exceptions.GoogleAuthError`. This aligns these credentials with service account credentials behavior.

…684)

…creds

Reverted changes in `google.auth.default()` logic introduced in external account creds.
`_get_explicit_environ_credentials` is called with no arguments as previously done.
Instead after the credential is returned via `with_scopes_if_required()`, we try to
get project ID if the credential has a `get_project_id` method and if the project ID
is not yet been determined. This is a safer change while still keeping the logic to
determine project ID for external credentials.