Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix wrong scopes for self signed jwt #935

Merged
merged 2 commits into from Jun 28, 2021
Merged

fix: fix wrong scopes for self signed jwt #935

merged 2 commits into from Jun 28, 2021

Conversation

arithmetic1728
Copy link
Collaborator

@arithmetic1728 arithmetic1728 commented Jun 26, 2021
edited

Fixes: #929

When auth library creates self signed jwt, it looks for scopes, audience and default_scopes in order, and uses the first one available.

In the transport base class, we are using self.AUTH_SCOPES as scopes if scopes are not provided. This is not right.

gapic-generator-python/gapic/templates/%namespace/%name_%version/%sub/services/%service/transports/base.py.j2

Line 114 in ceb64d9

self._scopes = scopes or self.AUTH_SCOPES

This is not right since self.AUTH_SCOPES should be only used as default_scopes. self.AUTH_SCOPES may contain only a generic "https://www.googleapis.com/auth/cloud-platform" scope, for instance for all the failed APIs listed in this issue. If it is used as scopes in self signed jwt, the samples may fail with invalid scopes. For the success APIs, the AUTH_SCOPES of kms contains an additional https://www.googleapis.com/auth/cloudkms scope so it has no problem; the other two API are mysterious to me since they are using the same generic scope in AUTH_SCOPES as the failed APIs.

The fix is simple. We just need to change self._scopes = scopes or self.AUTH_SCOPES to self._scopes = scopes in the transport base class. Note that self.AUTH_SCOPES is already passed to grpc channel as default_scopes.

gapic-generator-python/gapic/templates/%namespace/%name_%version/%sub/services/%service/transports/grpc.py.j2

Lines 208 to 217 in ceb64d9

return grpc_helpers.create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
quota_project_id=quota_project_id,
default_scopes=cls.AUTH_SCOPES,
scopes=scopes,
default_host=cls.DEFAULT_HOST,
**kwargs
)

I tested the PR for all the failed APIs, now all the samples passed (I didn't update the unit test, so kokoro would fail in these PRs):
googleapis/python-speech#189
googleapis/python-asset#215
googleapis/python-videointelligence#171
googleapis/python-analytics-data#95

I also tested the secret_manager and automl APIs, their samples still pass with this fix.
googleapis/python-secret-manager#141
googleapis/python-automl#179

@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Jun 26, 2021
@arithmetic1728 arithmetic1728 marked this pull request as ready for review June 26, 2021 01:40
@arithmetic1728 arithmetic1728 requested a review from a team as a code owner June 26, 2021 01:40
@arithmetic1728 arithmetic1728 mentioned this pull request Jun 26, 2021
Closed
This was referenced Jun 26, 2021
Closed
Merged
Merged
Closed
Merged
@busunkim96 busunkim96 mentioned this pull request Jun 28, 2021
Closed
@arithmetic1728 arithmetic1728 merged commit e033acd into master Jun 28, 2021
@arithmetic1728 arithmetic1728 deleted the jwt_fix branch June 28, 2021 17:00
This was referenced Jan 18, 2022
Merged
Closed
Closed
This was referenced Jan 26, 2022
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busunkim96 busunkim96 busunkim96 approved these changes

@parthea parthea Awaiting requested review from parthea

@software-dov software-dov Awaiting requested review from software-dov

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

403 permission denied errors in some libraries with always_use_jwt_access = True
2 participants
@arithmetic1728 @busunkim96