-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: generate a default audience for clients #475
Conversation
This option will be used to generate self-signed JWTs when the client is authenticated with a service account and the user does not provide additional scopes. Also, now marking the generated scopes as default so we can distinguish between generated and user provided scopes. Related: googleapis/google-api-go-client#738
Before this PR is merged:
|
cc @bshaffer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No comment on the JWT semantics, but the Go looks fine. Some minor, non-blocking suggestions.
|
||
// generateDefaultAudience transforms a host into a an audience that can be used | ||
// as the `aud` claim in a JWT. | ||
func generateDefaultAudience(host string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we guaranteed that the host is a proper host (ie doesn't have a path)? I'd be inclined to defensively remove it (and include that in tests).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Guaranteed, no. But it does not happen today I can fairly certainly say. On L63 of this file we append :443
to the the end of the host. If there were path fragments this should be an invalid host and the client would not be able to talk to the backend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks!
This option will be used to generate self-signed JWTs when the
client is authenticated with a service account and the user does
not provide additional scopes.
Also, now marking the generated scopes as default so we can
distinguish between generated and user provided scopes.
Related: googleapis/google-api-go-client#738