Change authentication method to use OIDC identity tokens #322
Conversation
deadlycoconuts
force-pushed
the
make_sdk_use_openid_connect_id_tokens
branch
from
8ff79b4
to
7f354db
Compare
deadlycoconuts
changed the title
sdk/turing/session.py
Outdated
| from google.auth.transport.requests import Request | ||
| from google.auth.transport.urllib3 import urllib3, AuthorizedHttp | ||
|
|
||
| # Load default credentials | ||
| credentials, _ = google.auth.default(scopes=TuringSession.OAUTH_SCOPES) | ||
| credentials = get_default_id_token_credentials(target_audience="turing-sdk.caraml") |
There was a problem hiding this comment.
How is the target_audience expected to be used on the auth server? Or is it currently unused?
There was a problem hiding this comment.
It is unused right now. But we can set up the RequestAuthentication resource to validate the aud field which this target_audience field would translate into in the jwt token generated for service accounts. CMIIW @mbruner
There was a problem hiding this comment.
I see.. I wonder if we should simply call it "sdk.caraml" in order to not distinguish each SDK.
There was a problem hiding this comment.
I'm fine with any name to be honest 😅 sdk.caraml it shall be then!
deadlycoconuts
force-pushed
the
make_sdk_use_openid_connect_id_tokens
branch
from
4926c06
to
c7a98b3
Compare
| @@ -1,7 +1,7 @@ | |||
| cloudpickle==2.0.0 | |||
| deprecation==2.1.0 | |||
| fire | |||
| google-auth>=1.11.0 | |||
| google-auth>=2.16.2 | |||
There was a problem hiding this comment.
Updated this since this version is used in caraml-auth-google.
|
Thank you for the comments! I've just updated the name of the target audience. Will be merging this soon! |
Context
As of present, authentication is performed by the Merlin and Turing SDKs using Google OAuth 2.0 access tokens (generated after authentication with Google's OAuth server) that are added to the headers of requests sent to the Turing API server. These tokens are then used by an internal proxy which will validate the access token and then retrieve the user profile information from the Google API.
However, in keeping with the move of the Google Identity Services client library from OAuth 2.0 access tokens to Google OpenID Connect (OIDC) identity tokens, we are similarly replacing the use of the former for the latter. These tokens generated would similarly be added to the headers of requests sent to the Turing API server to be validated internally.
A utils module
caraml_authin the packagecaraml-auth-googlehas been created in the CaraML SDK repository to provide this new method of authentication.This PR serves to update the existing authentication method used by the Turing SDK.
Changes
In
sdk/turing/session.py, the Turing SDK will import and use the functionget_default_id_token_credentialsprovided by thecaraml-auth-googlepackage: