-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add self signed jwt support #572
Conversation
Codecov Report
@@ Coverage Diff @@
## master #572 +/- ##
============================================
+ Coverage 83.32% 83.45% +0.12%
- Complexity 571 594 +23
============================================
Files 41 41
Lines 2645 2695 +50
Branches 274 286 +12
============================================
+ Hits 2204 2249 +45
- Misses 301 303 +2
- Partials 140 143 +3
Continue to review full report at Codecov.
|
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
@bshaffer Hi Brent, could you take a look? |
Don't merge until cl/356594013 is fully rolled out. |
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Outdated
Show resolved
Hide resolved
cl/356594013 is fully rolled out. Tested the change with pubsub regional endpoint and it worked fine. |
oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Outdated
Show resolved
Hide resolved
🤖 I have created a release \*beep\* \*boop\* --- ## [0.25.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.24.1...v0.25.0) (2021-03-16) ### Features * add self signed jwt support ([#572](https://www.github.com/googleapis/google-auth-library-java/issues/572)) ([efe103a](https://www.github.com/googleapis/google-auth-library-java/commit/efe103a2e688ca915ec9925a72c49bb2a1b3c3b5)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@arithmetic1728 @bshaffer It seems that this commit (the only change between 0.24.1 and 0.25.0) broke the Java sample projects. GoogleCloudPlatform/java-docs-samples#4903 Would you look into the failures? I've invited both of you to "Yoshi Java" chat room. |
It also broke Spring Cloud GCP by way of bigquery, config, storage and vision: https://github.com/GoogleCloudPlatform/spring-cloud-gcp/actions/runs/664693361 |
@arithmetic1728, when merging PRs, could you please use helpful commit messages? You wrote so much good content for this PR, but then it is mostly just garbage on the commit itself: efe103a |
@ejona86 Yep, I will edit the commit message in the future when merging PR. Thank you for pointing it out. |
This PR adds self signed jwt support (https://google.aip.dev/auth/4111). Googlers see this go/yoshi-self-signed-jwt for more details. If user uses service account credentials, and doesn't provide custom endpoint/scopes/audience, then self signed jwt should be used. Since custom endpoint is now supported (cl/356594013) and users cannot provide default audience for
ServiceAccountCredentials
, we automatically use self signed jwt if scopes are not provided by the users.Details
We add a new
defaultScopes
(for client lib) toGoogleCredentials
to distinguish with the existingscopes
(for users), and updated the subclasses.AppEngineCredentials
,ComputeEngineCredentials
classes,defaultScopes
will used ifscopes
is not provided, there are no other changes.ServiceAccountCredentials
, ifscopes
is not provided, then aServiceAccountJWTAccessCredentials
instance will be created insideServiceAccountCredentials
, and will be used for self signed jwt.defaultScopes
has no effect.When self signed jwt is used for service account credentials, in
getRequestMetadata(uri)
, we replace the uri with itshttp(s)://{host_name}/
prefix. For instance, http client normally passes uri likehttps://compute.googleapis.com/compute/v1/projects/
, but the correct audience should behttps://compute.googleapis.com/
.Follow up PRs
It will be trivial changes to gax-java and client libs to integrate this feature.
This PR shows how gax-java integrates the feature. gax-java just needs to pass
defaultScopes
to the auth lib.This PR shows how GAPIC client integrates the feature. GAPIC client just needs to pass the default scopes via
setDefaultScopes
instead ofsetScopesToApply
.