Skip to content

feat: Support retrieving ID Token from IAM endpoint for ServiceAccountCredentials #1433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lqiu96 merged 14 commits into from
Aug 29, 2024
Merged

feat: Support retrieving ID Token from IAM endpoint for ServiceAccountCredentials #1433

lqiu96 merged 14 commits into from
Aug 29, 2024

Conversation

@lqiu96
Copy link
Member

@lqiu96 lqiu96 commented Jul 9, 2024
edited
Loading

See b/340613207 for more information.

@product-auto-label product-auto-label bot added the size: m Pull request size is medium. label Jul 9, 2024
@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 10, 2024
@product-auto-label product-auto-label bot added size: m Pull request size is medium. and removed size: l Pull request size is large. labels Jul 10, 2024
@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 11, 2024
zhumin8
zhumin8 reviewed Jul 11, 2024
View reviewed changes
Copy link
Contributor

@zhumin8 zhumin8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The high level logic seems reasonable to me, still trying to get a better understanding of the id-token workflow. I will give it a second try after I do some readings on the context.

oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java Outdated

@Test
public void idTokenWithAudience_incorrect() throws IOException {
public void idTokenWithAudience_oauthFlow_incorrect() throws IOException {
Copy link
Contributor

@zhumin8 zhumin8 Jul 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe something like idTokenWithAudience_oauthFlow_incorrectAudience() to be more specific on the test?

Copy link
Member Author

@lqiu96 lqiu96 Jul 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, will update!

@lqiu96 lqiu96 marked this pull request as ready for review July 11, 2024 21:08
@lqiu96 lqiu96 requested a review from a team as a code owner July 11, 2024 21:08
zhumin8
zhumin8 reviewed Jul 23, 2024
View reviewed changes
Copy link
Contributor

@zhumin8 zhumin8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
only a few nit picks.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
String assertion =
createAssertionForIdToken(
jsonFactory, currentTime, tokenServerUri.toString(), targetAudience);
createAssertionForIdToken(currentTime, tokenServerUri.toString(), targetAudience);
Copy link
Contributor

@zhumin8 zhumin8 Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For readability, perhaps rename tokenServerUri tooauthIdTokenUri in parallel to iamIdTokenUri?

Copy link
Member Author

@lqiu96 lqiu96 Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tokenServerUri has getters and setters that match the variable name. I think it would be too confusing to change the variable name.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
Comment on lines +628 to +631
URI iamIdTokenUri =
URI.create(
String.format(
OAuth2Utils.IAM_ID_TOKEN_ENDPOINT_FORMAT, getUniverseDomain(), clientEmail));
Copy link
Contributor

@zhumin8 zhumin8 Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can we be consistent with iamIdTokenUri and tokenServerUri? either both declare as class variable or both inside respective get endpoint method.

Copy link
Member Author

@lqiu96 lqiu96 Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tokenServerUri is a customizable from setters and can't be declared as a class variable. iamIdTokenUri probably can be initialized in the constructor and I'll move it up there.

Copy link
Member Author

@lqiu96 lqiu96 Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, getUniverseDomain() throws an IOException and adding a checked exception to the constructor is a breaking change. I think it would be better to leave it here.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 23, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@lqiu96 lqiu96 requested a review from westarle July 31, 2024 21:55
arithmetic1728
arithmetic1728 approved these changes Aug 21, 2024
View reviewed changes
Copy link
Contributor

@arithmetic1728 arithmetic1728 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 29, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@lqiu96 lqiu96 merged commit 4fcf83e into main Aug 29, 2024
@lqiu96 lqiu96 deleted the id_token_support branch August 29, 2024 15:26
@release-please release-please bot mentioned this pull request Aug 29, 2024
Merged
@release-please release-please bot mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhumin8 zhumin8 zhumin8 left review comments

@westarle westarle Awaiting requested review from westarle

+1 more reviewer

@arithmetic1728 arithmetic1728 arithmetic1728 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lqiu96 @zhumin8 @arithmetic1728