Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow scopes for self signed jwt #689

Merged
merged 6 commits into from Jul 14, 2021
Merged

feat: allow scopes for self signed jwt #689

merged 6 commits into from Jul 14, 2021

Conversation

arithmetic1728
Copy link
Collaborator

@arithmetic1728 arithmetic1728 commented Jun 22, 2021

This PR allows self signed jwt to use scopes.
AIP: https://google.aip.dev/auth/4111
googlers see: go/yoshi-self-signed-jwt-phase-2

In ServiceAccountCredentials, this PR now uses JwtCredentials instead of ServiceAccountJwtCredentials. As a result, this PR reverted the changes made to ServiceAccountJwtCredentials in #572 #642 so the ServiceAccountJwtCredentials is the same as what it was before phrase 1.

The current behavior for ServiceAccountCredentials is:

if (hasScopes):
    if (useJwtAccessWithScope):
        // create a self signed JWT with "scope" set to the scope
    else:
        // call oauth token endpoint
else:
        // create a self signed JWT with modified uri as the audience

Follow up PRs:
(1) gax-java: googleapis/gax-java#1420
(2) gapic-generator-java: it will be a very simple change, same as https://github.com/arithmetic1728/java-kms/pull/2/files. Since Gapic clients will always sets scopes, once self signed JWT is enabled in the future, it will always use self signed JWT with scope claim.

This PR has been tested with cloudkms: https://github.com/arithmetic1728/java-kms/pull/2/files

@google-cla google-cla bot added the cla: yes label Jun 22, 2021
@TimurSadykov TimurSadykov self-requested a review Jun 24, 2021
@arithmetic1728 arithmetic1728 marked this pull request as ready for review Jun 29, 2021
@arithmetic1728 arithmetic1728 requested a review from as a code owner Jun 29, 2021
@arithmetic1728 arithmetic1728 merged commit f4980c7 into master Jul 14, 2021
15 checks passed
@arithmetic1728 arithmetic1728 deleted the self_signed_jwt branch Jul 14, 2021
lsirac added a commit that referenced this issue Jul 22, 2021
…oundaries (#698)

* feat: Adding functional tests for Service Account  (#685)

ServiceAccountCredentials tests for 4110

* feat: allow scopes for self signed jwt (#689)

* feat: self signed jwt support

* update

* address comments

* allow to use uri as audience

* address comments

* chore: release 0.27.0 (#678)

🤖 I have created a release \*beep\* \*boop\*
---
## [0.27.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.26.0...v0.27.0) (2021-07-14)


### Features

* add Id token support for UserCredentials ([#650](https://www.github.com/googleapis/google-auth-library-java/issues/650)) ([5a8f467](https://www.github.com/googleapis/google-auth-library-java/commit/5a8f4676630854c53aa708a9c8b960770067f858))
* add impersonation credentials to ADC  ([#613](https://www.github.com/googleapis/google-auth-library-java/issues/613)) ([b9823f7](https://www.github.com/googleapis/google-auth-library-java/commit/b9823f70d7f3f7461b7de40bee06f5e7ba0e797c))
* Adding functional tests for Service Account  ([#685](https://www.github.com/googleapis/google-auth-library-java/issues/685)) ([dfe118c](https://www.github.com/googleapis/google-auth-library-java/commit/dfe118c261aadf137a3cf47a7acb9892c7a6db4d))
* allow scopes for self signed jwt ([#689](https://www.github.com/googleapis/google-auth-library-java/issues/689)) ([f4980c7](https://www.github.com/googleapis/google-auth-library-java/commit/f4980c77566bbd5ef4c532acb199d7d484dbcd01))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

* test: adds integration tests for downscoping with credential access boundaries

Co-authored-by: Timur Sadykov <stim@google.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
lsirac added a commit that referenced this issue Jul 26, 2021
…s_in (#699)

* feat: Adding functional tests for Service Account  (#685)

ServiceAccountCredentials tests for 4110

* feat: allow scopes for self signed jwt (#689)

* feat: self signed jwt support

* update

* address comments

* allow to use uri as audience

* address comments

* chore: release 0.27.0 (#678)

🤖 I have created a release \*beep\* \*boop\*
---
## [0.27.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.26.0...v0.27.0) (2021-07-14)


### Features

* add Id token support for UserCredentials ([#650](https://www.github.com/googleapis/google-auth-library-java/issues/650)) ([5a8f467](https://www.github.com/googleapis/google-auth-library-java/commit/5a8f4676630854c53aa708a9c8b960770067f858))
* add impersonation credentials to ADC  ([#613](https://www.github.com/googleapis/google-auth-library-java/issues/613)) ([b9823f7](https://www.github.com/googleapis/google-auth-library-java/commit/b9823f70d7f3f7461b7de40bee06f5e7ba0e797c))
* Adding functional tests for Service Account  ([#685](https://www.github.com/googleapis/google-auth-library-java/issues/685)) ([dfe118c](https://www.github.com/googleapis/google-auth-library-java/commit/dfe118c261aadf137a3cf47a7acb9892c7a6db4d))
* allow scopes for self signed jwt ([#689](https://www.github.com/googleapis/google-auth-library-java/issues/689)) ([f4980c7](https://www.github.com/googleapis/google-auth-library-java/commit/f4980c77566bbd5ef4c532acb199d7d484dbcd01))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

* test: adds integration tests for downscoping with credential access boundaries

* fix: STS does not always return expires_in, fallback to source credential expiration for DownscopedCredentials

* fix: review

Co-authored-by: Timur Sadykov <stim@google.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants