New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(internal): [AIP-4111] support scopes for self-signed JWT auth flow #1075
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, a few suggestions and comments.
internal/creds.go
Outdated
if len(audiences) > 1 { | ||
return nil, fmt.Errorf("multiple audiences support is not implemented") | ||
func isSelfSignedJWTFlow(data []byte, ds *DialSettings) (bool, error) { | ||
if (ds.EnableJwtWithScope || ds.HasCustomAudience()) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, what if EnableJwtWithScope is false and scopes is empty and no custom audience is specified by user? Shouldn't we still try SelfSignedJWTFlow with the default audience?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I don't think in practice the scope will ever be empty since we always provide default scopes in our clients, but it does not harm to do the extra check.
Thanks for review. @codyoss @andyrzhao PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall. Some minor comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for your work on this feature!
🤖 I have created a release \*beep\* \*boop\* --- ## [0.49.0](https://www.github.com/googleapis/google-api-go-client/compare/v0.48.0...v0.49.0) (2021-06-23) ### Features * **all:** auto-regenerate discovery clients , refs [#1085](https://www.github.com/googleapis/google-api-go-client/issues/1085) [#1084](https://www.github.com/googleapis/google-api-go-client/issues/1084) [#1082](https://www.github.com/googleapis/google-api-go-client/issues/1082) [#1080](https://www.github.com/googleapis/google-api-go-client/issues/1080) [#1079](https://www.github.com/googleapis/google-api-go-client/issues/1079) [#1078](https://www.github.com/googleapis/google-api-go-client/issues/1078) [#1076](https://www.github.com/googleapis/google-api-go-client/issues/1076) [#1073](https://www.github.com/googleapis/google-api-go-client/issues/1073) [#1071](https://www.github.com/googleapis/google-api-go-client/issues/1071) [#1070](https://www.github.com/googleapis/google-api-go-client/issues/1070) [#1068](https://www.github.com/googleapis/google-api-go-client/issues/1068) [#1067](https://www.github.com/googleapis/google-api-go-client/issues/1067) [#1066](https://www.github.com/googleapis/google-api-go-client/issues/1066) [#1064](https://www.github.com/googleapis/google-api-go-client/issues/1064) [#1063](https://www.github.com/googleapis/google-api-go-client/issues/1063) [#1060](https://www.github.com/googleapis/google-api-go-client/issues/1060) * **internal:** [AIP-4111] support scopes for self-signed JWT auth flow ([#1075](https://www.github.com/googleapis/google-api-go-client/issues/1075)) ([29cab68](https://www.github.com/googleapis/google-api-go-client/commit/29cab68ebd5b9ca017503baf46d91a29f8e84716)) This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
- Update the GAPIC clients to allow scope for self-signed JWT - The self-signed JWT is now the default authentication method for service account instead of OAuth 2.0 - Self-signed JWT AIP: https://google.aip.dev/auth/4111 - Related PRs: - googleapis/google-api-go-client#1075 - golang/oauth2#504 - aip-dev/google.aip.dev#764
(a) The scope for self-signed JWT flow is enabled (
EnableJwtWithScope
== true)(b) Custom audiences are explicitly provided by users
(c) No scopes are provided at all
More information for self-signed JWT at: https://google.aip.dev/auth/4111