Add EndUserCredentials and implement get_default_google_credentials#42
Merged
mergify[bot] merged 2 commits intoEmbarkStudios:mainfrom Aug 7, 2021
Merged
Add EndUserCredentials and implement get_default_google_credentials#42mergify[bot] merged 2 commits intoEmbarkStudios:mainfrom
mergify[bot] merged 2 commits intoEmbarkStudios:mainfrom
Conversation
Along the way to support EmbarkStudios#39, we need to support the gcloud application_default_credentials.json / EndUserCredential format. The flow is pretty similar to a ServiceAccount, but with a couple differences: - You can't specify scopes dynamically (the scopes are assigned at authorization time, not access token / refresh time) - The endpoint isn't included (but oauth2.googleapis.com/token is the de facto endpoint) - After some period of time the refresh token is invalid, and you need to re-run `gcloud auth application-default login` (which sadly isn't check-able upfront, as the file doesn't store an `expires_in`) field. I tested this out manually with a build of gcsfuser that does the full Google default credentials flow. Next up: I'll move that logic here into tame-oauth for everyone to use.
Now that we support all three flavors of OAuth credentials (Service Account, gcloud ADC file, and Metadata server), we can do the full "check this, then that, then that" flow that client libraries use (as requested in EmbarkStudios#39). With this change, getting the right `TokenProvider` is now just a call to get_default_google_credentials(). Then the `get_token` and `parse_token_response` work as expected. This change does *not* yet handle caching. I think caching should move out of the ServiceAccount handler and into its own generic "I can cache anything" TokenProvider (CachedTokenProvider?).
Jake-Shadle
approved these changes
Aug 7, 2021
Member
Jake-Shadle
left a comment
Jake-Shadle
left a comment
There was a problem hiding this comment.
LGTM, I'll merge this for now and probably just do some minor cleanup in a separate branch before doing a release. Thanks for another PR!
boulos
added a commit
to GoogleCloudPlatform/gcsfuser
that referenced
this pull request
Aug 10, 2021
After adding Metadata server support in [1] and an initial "do the entire credential flow" in [2] that are in 0.6, gcsfuser now supports auth "correctly". I verified that on GCE the metadata server caches tokens for you, but I'm still hoping we do [3] to avoid even issuing the http request. [1] EmbarkStudios/tame-oauth#40 [2] EmbarkStudios/tame-oauth#42 [3] EmbarkStudios/tame-oauth#45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As requested in #39 , I added just enough to do the full default credentials flow. I haven't tested it on Windows, but I believe :).
Note: I am intentionally ignoring App Engine Standard v1 and Cloud Functions (since Rust doesn't run there), as well as legacy gcloud ADC locations. As a surprising bonus, I learned that the golang client doesn't respect the CLOUDSDK_CONFIG environment variable (so I'll probably go contribute this back to them).
Please take a thorough look, especially if there's a cleaner way to do the enum and static dispatch stuff (and I didn't work hard on a name, since I assume we'll discuss it now).