-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Figure out what to do about the relationship between ADC and JWT credentials. #29
Comments
@bjwatson @anthmgoogle I'd really appreciate your input on this as well. |
@jonparrott What are the core differences between
|
@dhermes it's important to look at the conceptual differences:
This is where the differences in implementation come from:
Scopes are only valid in an OAuth 2.0 context. JWT authentication exists separately from the OAuth 2.0 authorization framework.
The audience for service account's claims is always the OAuth 2.0 token endpoint. The audience for jwt credentials is the service's API endpoint.
Because this is where the JWT will be sent.
The
As mentioned above, subject is used for delegation. Jwt credentials will always use the service account name as the subject for Google APIs, but could use a different subject for custom APIs (the subject can be set on the constructor, or with_claims).
Because it may be useful to pass more claims along to the service endpoint / ESP frontend. The set of claims for service account credentials are defined by an RFC, so there is less need for those to be customized. |
I am 👎 on a THIRD umbrella class for ADC. I'd prefer instead a simple way to promote |
@dhermes I'm with you. I just wanted to sanity check with others first. So if isinstance(credentials, service_account.Credentials):
credentials = credentials.to_jwt_credentials() Not sure what the promoter should be called/should live? (Note that |
I am for |
Cool, that's the plan unless someone else feels strongly otherwise. |
Closing as we've come up with a plan. #35 will track the implementation of the plan. |
We have
jwt.Credentials
in order to support the small set of APIs that support using directly using a JWT as the bearer token (only BigTable right now, as far as I know).In oauth2client,
_JWTAccessCredentials
(the equivalent of ourjwt.Credentials
) will actually return an instance ofServiceAccountCredentials
ifcreate_scoped
is called (here). This was done so thatGoogleCredentials.get_application_default
can return a class that works for all APIs (here).For some reference, the Java library just returns regular service account credentials with ADC (here). The other auth libraries also seem to just return service account credentials.
So what should we do here? I see a few options:
google.oauth2.service_account.Credentials
), make users explicitly constructjwt.Credentials
if that's what they want. Optionally provide an easy way to convert service account credentials to jwt credentials.jwt.Credentials
andScoped
that behaves likeoauth2client
.The text was updated successfully, but these errors were encountered: