Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider implementing OpenID Connect ID Token-based credentials for service accounts #130

Closed
theacodes opened this issue Mar 14, 2017 · 7 comments
Closed

Consider implementing OpenID Connect ID Token-based credentials for service accounts #130

theacodes opened this issue Mar 14, 2017 · 7 comments
Assignees
@theacodes
Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Milestone
2.0.0

Comments

@theacodes
Copy link
Contributor

This would satisfy the Identity-aware Proxy use case as well as a few other niche cases that have come up.

Context:
https://gist.github.com/jonparrott/cffca2fa7881e03fbe6ff7c25773c9cf
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py#L121

/cc @matthewg
@theacodes
Copy link
Contributor Author

theacodes commented Mar 14, 2017
edited
Loading

I have no idea what to name this thing:

  • google.oauth2.oidc.Credentials could work, but since this are specific to service accounts that seems weird.
  • google.oauth2.service_account.IDTokenCredentials
  • google.oauth2.service_account.OIDCCredentials makes me hurt.
  • google.oauth2.openid_connect.ServiceAccountCredentials ew.
  • google.oauth2.oidc.service_acccount.Credentials?

IDK. Thoughts @dhermes @lukesneeringer @matthewg?

@dhermes
Copy link
Contributor

dhermes commented Mar 15, 2017

google.oauth2.service_account.IDTokenCredentials 👍

@theacodes
Copy link
Contributor Author

/cc @tswast

@theacodes theacodes modified the milestone: 2.0.0 Mar 23, 2017
@lesv lesv mentioned this issue Apr 21, 2017
Closed
@ensonic
Copy link

ensonic commented Sep 14, 2017

+1. This is right now not straightforward at all and is required for
https://cloud.google.com/endpoints/docs/openapi/service-to-service-auth#enabling_a_calling_service_to_make_authenticated_calls

@FranOis
Copy link

FranOis commented Dec 12, 2017
edited by dhermes
Loading

@jonparrott I'm not sure I understand all the consequences but I was playing around thinking open id would work and it seems like the only thing that needs to change is change from access_token to id_token in https://github.com/GoogleCloudPlatform/google-auth-library-python/blob/master/google/oauth2/_client.py#L147

Like I said, no idea what is the other uses of that class, but I did something very simple to get there. The credentials.json is for a service account in my project that is roles/servicemanagement.serviceConsumer

from google.oauth2 import service_account
from google.auth.transport.requests import AuthorizedSession

credentials = service_account.Credentials.from_service_account_file(
    'credentials.json')

scoped_credentials = credentials.with_scopes(
    ['http://URL_FOR_MY_CLOUD_ENDPOINTS'])

authed_session = AuthorizedSession(scoped_credentials)

response = authed_session.get('http://URL_FOR_MY_CLOUD_ENDPOINTS/hello')

print(response.json())

@theacodes
Copy link
Contributor Author

@FranOis that's basically the gist of it. We'd just want a new credentials class to avoid messing with any of the existing ones.

@kryzthov kryzthov mentioned this issue Jan 13, 2018
Merged
@theacodes
Copy link
Contributor Author

Closed by #234

@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theacodes theacodes

Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
5 participants
@theacodes @dhermes @ensonic @FranOis @yoshi-automation