Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add subject argument to credentials_service_account() #131

Merged
merged 10 commits into from May 3, 2020
Merged

Add subject argument to credentials_service_account() #131

merged 10 commits into from May 3, 2020

Conversation

samterfa
Copy link
Contributor

Allows domain wide delegation to be used with service accounts by passing subject parameter.

@samterfa
Update credentials_service_account.R
5bb83f5 
Allows domain wide delegation to be used with service accounts by passing subject parameter.
@jennybc
Copy link
Member

jennybc commented Feb 24, 2020

Can you link me to any docs to educate myself better about this?

@samterfa
Copy link
Contributor Author

Domain-wide delegation is needed, for example, when using the Google Admin SDK Directory API via a service account as explained here: https://developers.google.com/admin-sdk/directory/v1/guides/delegation. In order to sign requests correctly, a "sub" parameter is passed to the JWT. httr has incorporated the "sub" parameter into its "oauth_service_token" function which passes the parameter on to the "TokenServiceAccount$new" function to sign the request correctly. All that is needed is for Gargle's "credentials_service_account" function to accept and pass on that parameter to httr's service account functions. More info on domain-wide delegation is here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority. "sub" stands for "subject" so I used that as the parameter, but they could just match instead. https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html. Thanks!

@samterfa
Copy link
Contributor Author

Is this a possibility?

@jennybc
Copy link
Member

jennybc commented Apr 10, 2020

Is this a possibility?

My lack of response just means I'm trying to get googlesheets4 ready for release and then will come here. Because, in fact, gargle must release first. So I'll be back here soon!

@jennybc
Copy link
Member

jennybc commented May 2, 2020
edited

From reading Python examples and docs, it's seems like we should follow their convention and name this argument subject.

@jennybc jennybc changed the title Update credentials_service_account.R Add subject argument to credentials_service_account.R May 2, 2020
@jennybc
Copy link
Member

jennybc commented May 2, 2020

@samterfa Are you happy with where this ended up? I'll leave unmerged for a bit in case you have comments, but then I'll merge and move on.

@jennybc
Copy link
Member

jennybc commented May 2, 2020

Cc @jimhester I think this is relevant to gmailr. Remember when we were looking into whether a service account could be used with Gmail? And we concluded that it's possible but probably would not be common, since it requires delegation of domain-wide authority to the service account. This PR now makes this possible. Not sure if gmailr can use this immediately (I doubt it), but you might want to enable / document next time you do work there.

@samterfa
Copy link
Contributor Author

samterfa commented May 3, 2020
edited

@jennybc Looks great. I really appreciate it!

@jennybc jennybc changed the title Add subject argument to credentials_service_account.R Add subject argument to credentials_service_account() May 3, 2020
@jennybc jennybc merged commit 32ce36e into r-lib:master May 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@samterfa @jennybc