Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add scope for Credentials #517

Merged
merged 3 commits into from
Apr 19, 2024
Merged

fix: Add scope for Credentials #517

merged 3 commits into from
Apr 19, 2024

Conversation

ttosta-google
Copy link
Contributor

The OAuth scopes should be set for the credentials.

When the scopes are missing, the following error is seeing (from GoogleCloudPlatform/spring-cloud-gcp#2788):

Caused by: com.google.auth.oauth2.GoogleAuthException: Error getting access token for service account: 400 Bad Request
POST https://oauth2.googleapis.com/token
***"error":"invalid_scope","error_description":"Invalid OAuth scope or ID token audience provided."***, iss: github-actions-ci@spring-cloud-gcp-ci.iam.gserviceaccount.com
	at com.google.auth.oauth2.GoogleAuthException.createWithTokenEndpointResponseException(GoogleAuthException.java:129)
	at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:538)
	at com.google.auth.oauth2.OAuth2Credentials$1.call(OAuth2Credentials.java:270)
	at com.google.auth.oauth2.OAuth2Credentials$1.call(OAuth2Credentials.java:267)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at com.google.auth.oauth2.OAuth2Credentials$RefreshTask.run(OAuth2Credentials.java:635)
	at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:31)
	at com.google.auth.oauth2.OAuth2Credentials$AsyncRefreshResult.executeIfNew(OAuth2Credentials.java:582)
	at com.google.auth.oauth2.OAuth2Credentials.asyncFetch(OAuth2Credentials.java:233)
	at com.google.auth.oauth2.OAuth2Credentials.refreshIfExpired(OAuth2Credentials.java:204)
	at com.google.cloud.alloydb.DefaultAccessTokenSupplier.getTokenValue(DefaultAccessTokenSupplier.java:55)
	at com.google.cloud.alloydb.ConnectionSocket.metadataExchange(ConnectionSocket.java:234)

@ttosta-google ttosta-google requested review from nancynh and a team as code owners April 19, 2024 14:51
@jackwotherspoon
Copy link
Contributor

Is this a new requirement for the metadata exchange?

None of our other repos are currently adding the login scope? Python Connector

@ttosta-google
Copy link
Contributor Author

The login scope is really only used for IAM Authentication. So it was removed for now.

@jackwotherspoon
Copy link
Contributor

So we haven't been adding the cloud-platform scope to credentials this entire time? How has the Connector been working then?

@enocom
Copy link
Member

enocom commented Apr 19, 2024

This is a detail of the Java credentials library AFAIK. In some situations, the cloud platform scope must be added implicitly.

Meanwhile, the token scope isn't strictly required for IAM Authn.

@ttosta-google ttosta-google merged commit 5268ce3 into main Apr 19, 2024
16 checks passed
@ttosta-google ttosta-google deleted the fix-scope branch April 19, 2024 17:01
@release-please release-please bot mentioned this pull request Apr 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enocom enocom enocom approved these changes

@nancynh nancynh Awaiting requested review from nancynh

Assignees

@nancynh nancynh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ttosta-google @jackwotherspoon @enocom @nancynh