feat: support self-signed jwt in requests and urllib3 transports #679
Conversation
google-cla
bot
added
the
cla: yes
| def test_authorized_session_with_service_account_and_self_signed_jwt(): | ||
| credentials, project_id = google.auth.default() | ||
|
|
||
| credentials = credentials.with_scopes( | ||
| scopes=[], | ||
| default_scopes=["https://www.googleapis.com/auth/pubsub"], | ||
| ) | ||
|
|
||
| session = google.auth.transport.requests.AuthorizedSession( | ||
| credentials=credentials, default_host="pubsub.googleapis.com" | ||
| ) | ||
|
|
||
| # List Pub/Sub Topics through the REST API | ||
| # https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/list | ||
| response = session.get("https://pubsub.googleapis.com/v1/projects/{}/topics".format(project_id)) | ||
| response.raise_for_status() | ||
|
|
||
| # Check that self-signed JWT was created and is being used | ||
| assert credentials._jwt_credentials is not None | ||
| assert credentials._jwt_credentials.token == credentials.token |
There was a problem hiding this comment.
I initially tried to write this test with the Storage API, but requests seemed to fail with invalid credentials (a test with the service account passed).
Are there any APIs where the self-signed JWT approach won't work? @bshaffer
| @@ -313,6 +314,9 @@ def my_cert_callback(): | |||
| refreshing credentials. If not passed, | |||
| an instance of :class:`~google.auth.transport.requests.Request` | |||
| is created. | |||
| default_host (Optional[str]): A host like "pubsub.googleapis.com". | |||
There was a problem hiding this comment.
I have a little bit concern about setting the default_host in ctor. There are 2 default endpoints, for instance, pubsub.googleapis.com and pubsub.mtls.googleapis.com. mtls has auto switch logic to switch from the regular endpoint to mtls endpoint. It works as follows:
(1) client creates an AuthorizedSession
(2) client calls AuthorizedSession.is_mtls (with other conditions like the GOOGLE_API_USE_CLIENT_CERTIFICATE env var) to decide which endpoint to use
So this means in the AuthorizedSession ctor, we may not know exactly which default endpoint will be used. So if both endpoints use the regular endpoint as the audience, then this code works fine. Otherwise, we need to find a way.
There was a problem hiding this comment.
mtls only works with user credentials, so this should be fine since service account credentials will be rejected by the server anyway.
busunkim96
changed the title
busunkim96
changed the title
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
Follow up to #665.
Allow self-signed JWT flow to be used in the
requestsandurllib3transports if adefault_hostis provided. I don't think any of our clients wrap theurllib3transport, but a good number of handwritten libraries (Storage for example) usesAuthorizedSessionfromrequests.