Skip to content

Commit

Permalink
fix(internal): don't self-sign JWT when an endpoint provided (#847)
Browse files Browse the repository at this point in the history
  • Loading branch information
codyoss authored Jan 29, 2021
1 parent 1dc7dac commit 55f262c
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions internal/creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,9 @@ const (
// credentialsFromJSON returns a google.Credentials based on the input.
//
// - A self-signed JWT auth flow will be executed if: the data file is a service
// account, no user are scopes provided, an audience is provided, and
// credentials will not be impersonated.
// account, no user are scopes provided, an audience is provided, a user
// specified endpoint is not provided, and credentials will not be
// impersonated.
//
// - Otherwise, executes a stanard OAuth 2.0 flow.
func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
Expand All @@ -78,7 +79,8 @@ func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*g
if len(data) == 0 ||
len(ds.Scopes) > 0 ||
(ds.DefaultAudience == "" && len(ds.Audiences) == 0) ||
ds.ImpersonationConfig != nil {
ds.ImpersonationConfig != nil ||
ds.Endpoint != "" {
return cred, nil
}

Expand Down

0 comments on commit 55f262c

Please sign in to comment.