-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding "auth" and "auth/gcp" packages #160
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
darrenmcc
reviewed
Nov 4, 2018
darrenmcc
reviewed
Nov 4, 2018
darrenmcc
reviewed
Nov 4, 2018
darrenmcc
approved these changes
Nov 4, 2018
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few little things but looks good
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As devs move away from marvin and App Engine 1st generation and back to the land of gizmo with the 2nd generation, we need some tools to replace GAE's auth mechanisms for internal and external traffic. This is the first iteration of tools to fill this need.
The auth package provides a new interface for servers who will be verifying inbound signed JWTs. This is meant to be the server side version of
oauth2.TokenSource
Two major implementations are being added, one for IAM and one for Google identity tokens. These are supported by helper functions for parsing JWKS responses from URL or directly from JSON.
To make things easier on the users, the auth package is also introducing a new
Verifier
type, that will be composed of aPublicKeySource
and helper functions for decoding and verifying inbound tokens.For the client side of things, the gcp package also introduces an
oauth2.TokenSource
for IAM and the Identity token.There are a handful of other handy functions and tools to help tie everything together. I hope to add more soon that will reduce the amount of (already minimal) configuration required along with tools to make local and test environments easer to work with.
Both IAM and Identity are being provided because we're prefer to use Identity tokens in GCP, but they aren't available in the 1st generation runtime. The IAM tools provided are meant to be a bridge for users migrating large projects over to the 2nd generation runtime, one service at a time.
Side note: I decided to go against using other JWT libraries as they have been taking a more generic approach and allow for multiple forms of crypto. We're just using the
rsa.PublicKey
in both of our use cases so I took a more opinionated approach.