-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow scopes for self signed jwt #776
Conversation
elif audience: | ||
self._jwt_credentials = jwt.Credentials.from_signing_credentials( | ||
self, audience | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the way google-api-core
is written it will always pass through an audience
. https://github.com/googleapis/python-api-core/blob/155da5e18cc2fdcfa57de6f956b7d078e79cd4b7/google/api_core/grpc_helpers.py#L249-L251 and the elif self._default_scopes
case will never be reached.
Is it necessary to distinguish between the "default" audience and a user defined audience? It looks like Cody asked a question about this in the doc as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is fine that self._default_scopes
is never reached. We can just leave it here for logic completeness.
We don't need to distinguish a default audience and a user defined audience. If the user doesn't provide the scope but provides the audience, then they are responsible that the audience is correct.
This doc implements https://google.aip.dev/auth/4111. Internal doc: go/yoshi-self-signed-jwt-phase-2.
The main feature here is now we can use
scope
claim in self signed JWT.This PR does the following 2 things:
(1) Add
always_use_jwt_access
property to service account credentials to allow opt-in for the feature.(2) If
always_use_jwt_access
is True, then apply the following logic. IfalwaysUseJwtAccess
is False, the logic is the same as before; if True, then we can always use self signed jwt with scopes or audience.This PR has been tested with python-kms, googleapis/python-kms#122
The follow up PR in python microgenerator is: googleapis/gapic-generator-python#920