Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetch_id_token credential lookup is inconsistent with default credentials #728

Closed
thinkerbot opened this issue Apr 5, 2021 · 4 comments
Closed

fetch_id_token credential lookup is inconsistent with default credentials #728

thinkerbot opened this issue Apr 5, 2021 · 4 comments
Assignees
@arithmetic1728
Labels
triage me I really want to be triaged.

Comments

@thinkerbot
Copy link

Environment details

  • OS: linux
  • Python version: 3.9.1
  • pip version: 20.3.3
  • google-auth version: 1.27.0

Steps to reproduce

Please double check but looks like...

  1. In the docs/implementation of google.auth.default() the check for GOOGLE_APPLICATION_CREDENTIALS occurs first, before checking the various metadata services.

  2. In the docs/implementation of google.oauth2.id_token.fetch_id_token the check for GOOGLE_APPLICATION_CREDENTIALS occurs second, after checking the various metadata services. There are other inconsistencies, like no mention of application-default-credentials, but the ENV variable stands out.

I'm guessing fetch_id_token should use the lookup sequence that default uses, as that one appears consistent with what is described in the gcp docs.

Possibly solved if this is solved: #590 (Generate id_token from default credentials)
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Apr 6, 2021
@thinkerbot
Copy link
Author

Also fwiw, in #590 there is a link to airflow where it looks like they do something very similar to what google.auth.default() does, but results in IDTokenCredentials objects. Might be a good reference point for this.

https://github.com/apache/airflow/blob/master/airflow/providers/google/common/utils/id_token_credentials.py

@arithmetic1728
Copy link
Contributor

@thinkerbot I will take a look. Thanks!

@busunkim96
Copy link
Contributor

@arithmetic1728 Could you triage this to appease the bot? 😄

@arithmetic1728
Copy link
Contributor

I think maybe we can introduce a new method to create an id token credentials out of the default credentials, for instance, def create_id_token_credentials(creds, audience), so users can do:

creds, _ = google.auth.default()
id_token_creds = create_id_token_credentials(creds, audience)

Let's close this one and use #590 for tracking instead.

@arithmetic1728 arithmetic1728 mentioned this issue May 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arithmetic1728 arithmetic1728

Labels
triage me I really want to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thinkerbot @busunkim96 @yoshi-automation @arithmetic1728