diff options
| author | Chaoren <chaorenliu@google.com> | 2021-07-14 11:02:10 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-14 15:02:10 +0000 |
| commit | 0e264092e35ac02ad68d5d91424ecba5397daa41 (patch) | |
| tree | cee3f4ed3f9706967bc228420c7553554f253963 | |
| parent | 2f5c3a636192c20cf4c92c3831d1f485031d24d2 (diff) | |
| download | google-auth-library-python-0e264092e35ac02ad68d5d91424ecba5397daa41.tar.gz | |
feat: service account is able to use a private token endpoint (#784)
In [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect), users can use an endpoint which is private to their VPC network. The request is eventually routed to the oauth2.googleapis.com/token so the "aud" in the assertion still should be oauth2.googleapis.com/token.
After this change, service account can send requests to the private endpoint (if configured) and still use the oauth2.googleapis.com/token in the assertion.
| -rw-r--r-- | google/oauth2/service_account.py | 5 | ||||
| -rw-r--r-- | tests/oauth2/test_service_account.py | 4 | ||||
| -rw-r--r-- | tests_async/oauth2/test_service_account_async.py | 10 |
3 files changed, 13 insertions, 6 deletions
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index dd36589..8f18f26 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -80,6 +80,7 @@ from google.auth import jwt from google.oauth2 import _client _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds +_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" class Credentials( @@ -382,7 +383,7 @@ class Credentials( # The issuer must be the service account email. "iss": self._service_account_email, # The audience must be the auth token endpoint's URI - "aud": self._token_uri, + "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, "scope": _helpers.scopes_to_string(self._scopes or ()), } @@ -643,7 +644,7 @@ class IDTokenCredentials(credentials.Signing, credentials.CredentialsWithQuotaPr # The issuer must be the service account email. "iss": self.service_account_email, # The audience must be the auth token endpoint's URI - "aud": self._token_uri, + "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, # The target audience specifies which service the ID token is # intended for. "target_audience": self._target_audience, diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py index 5852d37..370438f 100644 --- a/tests/oauth2/test_service_account.py +++ b/tests/oauth2/test_service_account.py @@ -167,7 +167,7 @@ class TestCredentials(object): token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL - assert payload["aud"] == self.TOKEN_URI + assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT def test__make_authorization_grant_assertion_scoped(self): credentials = self.make_credentials() @@ -440,7 +440,7 @@ class TestIDTokenCredentials(object): token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL - assert payload["aud"] == self.TOKEN_URI + assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert payload["target_audience"] == self.TARGET_AUDIENCE @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) diff --git a/tests_async/oauth2/test_service_account_async.py b/tests_async/oauth2/test_service_account_async.py index 4079453..3dce13d 100644 --- a/tests_async/oauth2/test_service_account_async.py +++ b/tests_async/oauth2/test_service_account_async.py @@ -152,7 +152,10 @@ class TestCredentials(object): token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, test_service_account.PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL - assert payload["aud"] == self.TOKEN_URI + assert ( + payload["aud"] + == service_account.service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT + ) def test__make_authorization_grant_assertion_scoped(self): credentials = self.make_credentials() @@ -311,7 +314,10 @@ class TestIDTokenCredentials(object): token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, test_service_account.PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL - assert payload["aud"] == self.TOKEN_URI + assert ( + payload["aud"] + == service_account.service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT + ) assert payload["target_audience"] == self.TARGET_AUDIENCE @mock.patch("google.oauth2._client_async.id_token_jwt_grant", autospec=True) |