Enhancement request: Support for SignedJwtAssertionCredentials-like authentication, as used by Google BigQuery #119
Comments
|
@craigcitro have you used this auth flow? |
|
yes -- we totally want to support service accounts. i believe @siddarthaB already has or nearly has some working code on this front? (last i heard he needed to get a crypto-related patch upstreamed ...) |
|
and of course by @siddarthaB i meant @siddharthab. sid, how far along is this? |
|
It's working really smooth. I extended httr::Token2.0 with overridden methods for refresh and init_credentials, and disabled caching. And I have a different class for the app object which holds the private key (PKCS1, 8 or 12). Also working smooth for GCE accounts which get authorised automatically on package load. I am using libssl and libcrypto directly. Just cleaning up the documentation before I send for review but I can demo tomorrow if you want. |
|
That's good news. I am happy to give it a spin as well, if there is a On 17 July 2014 17:23, Siddhartha Bagaria notifications@github.com wrote:
Regards, |
|
@siddharthab I'd love to see some code, even if it is rough. |
|
Sorry I got busy with my main project and could not give much love to this one last week. Currently, the code is part of the GoogleGenomics package, but I am moving it to a new WIP GoogleAPI package right now. I will respond in the next few hours with a link. |
|
Code is checked in without any documentation at https://github.com/siddharthab/GoogleAPI What you want to do after loading the package is oAuthParams <- readClientSecrets('<json file downloaded from Google for service account>', scopes='<character vector of scope URIs>')
token <- getOAuthToken(oAuthParams) |
|
Docs at: https://developers.google.com/accounts/docs/OAuth2ServiceAccount
@siddharthab, @craigcitro any thoughts on implementing the key signing without using libssl + libcrypto? That's going to be hard for a CRAN package. |
|
I don't think I will trust an arbitrary encryption library. In my opinion, libssl is important. FWIW, I also added necessary support to the PKI package in R - s-u/PKI#1. But we will most likely not depend on PKI and provide our own infra as in https://github.com/siddharthab/GoogleAPI/blob/master/src/rsa.c |
|
@siddharthab Ok, it looks like I'll be able to build on top of PKI (unfortunately OpenSSL provided by the windows cran builder is OpenSSL/1.0.0, published March 2010) |
|
@siddharthab @craigcitro if either of you happen to know the author of "Using OAuth 2.0 for Server to Server Applications", a complete example in "Computing the signature" (e.g. including sample private keys), would be really useful for validating output. And a pointer to the definition of base64url wouldn't go astray - I think I've managed to reverse engineer it with help from @siddharthab's code (translate |
|
First pass at infrastructure in b79ca91 |
|
I have all the pieces working, but I'm getting an "invalid_grant" error when I attempt to get a token. Any ideas? |
|
The grant is sensitive to spaces, etc. It will help if you could compare intermediary outputs from my code and yours, and get them to be byte equivalent. If it does not work, I can take a stab at running your code and debugging. |
|
@siddharthab I've checked the If that fails, I'll do a step-by-step comparison of the output from your code and my code. |
|
Sure, actually I can do the step by step comparison too. I will reply by tonight. |
|
Sent you #158. secrets <- jsonlite::fromJSON("Genomics-47c75176507d.json")
scope <- "https://www.googleapis.com/auth/userinfo.profile"
payload <- httr:::jwt_signature(secrets, scope)
token_uri <- "https://accounts.google.com/o/oauth2/token"
grant_type <- "urn:ietf:params:oauth:grant-type:jwt-bearer"
httr::POST(token_uri, body=list(grant_type=grant_type, assertion=payload)) |
Handy server side auth type for Google Big Query, as per described below using client ID and a keystore:
https://developers.google.com/bigquery/authorization#service-accounts-server
The text was updated successfully, but these errors were encountered: