google/externalaccount: add support for workforce pool credentials #520
Conversation
|
This PR (HEAD: 7969d9b) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/353393 to see it. Tip: You can toggle comments from me using the |
|
Message from Bassam Ojeil: Patch Set 1: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
…@; adding unit testing; go fmt
|
This PR (HEAD: 2c06da4) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/353393 to see it. Tip: You can toggle comments from me using the |
…rProject:"myProject"}
|
This PR (HEAD: 0a7e112) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/353393 to see it. Tip: You can toggle comments from me using the |
|
Message from Ryan Kohler: Patch Set 3: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Cody Oss: Patch Set 3: Run-TryBot+1 Code-Review+2 Trust+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Go Bot: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Go Bot: Patch Set 3: TryBot-Result+1 (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Tyler Bui-Palsulich: Patch Set 3: Trust+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Bassam Ojeil: Patch Set 3: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
This PR (HEAD: 930d60d) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/353393 to see it. Tip: You can toggle comments from me using the |
|
Message from Ryan Kohler: Patch Set 3: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Ryan Kohler: Patch Set 4: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Bassam Ojeil: Patch Set 4: Code-Review+1 (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
This PR (HEAD: a6dc5eb) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/353393 to see it. Tip: You can toggle comments from me using the |
|
Message from Ryan Kohler: Patch Set 5: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Cody Oss: Patch Set 5: Run-TryBot+1 Code-Review+2 Trust+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Go Bot: Patch Set 5: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Go Bot: Patch Set 5: TryBot-Result+1 (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
|
Message from Bassam Ojeil: Patch Set 5: Code-Review+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/353393. |
Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5eb GitHub-Pull-Request: #520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <[email protected]> Reviewed-by: Bassam Ojeil <[email protected]> Trust: Cody Oss <[email protected]> Trust: Tyler Bui-Palsulich <[email protected]> Run-TryBot: Cody Oss <[email protected]> TryBot-Result: Go Bot <[email protected]>
|
This PR is being closed because golang.org/cl/353393 has been merged. |
Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5eb GitHub-Pull-Request: golang#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <[email protected]> Reviewed-by: Bassam Ojeil <[email protected]> Trust: Cody Oss <[email protected]> Trust: Tyler Bui-Palsulich <[email protected]> Run-TryBot: Cody Oss <[email protected]> TryBot-Result: Go Bot <[email protected]>
Workforce pools (external account credentials for non-Google users) are
organization-level resources which means that issued workforce pool tokens
will not have any client project ID on token exchange as currently designed.
"To use a Google API, the client must identify the application to the server.
If the API requires authentication, the client must also identify the principal
running the application."
The application here is the client project. The token will identify the user
principal but not the application. This will result in APIs rejecting requests
authenticated with these tokens.
Note that passing a x-goog-user-project override header on API request is
still not sufficient. The token is still expected to have a client project.
As a result, we have extended the spec to support an additional
workforce_pool_user_project for these credentials (workforce pools) which will
be passed when exchanging an external token for a Google Access token. After the
exchange, the issued access token will use the supplied project as the client
project. The underlying principal must still have serviceusage.services.use
IAM permission to use the project for billing/quota.
This field is not needed for flows with basic client authentication (e.g. client
ID is supplied). The client ID is sufficient to determine the client project and
any additionally supplied workforce_pool_user_project value will be ignored.
Note that this feature is not usable yet publicly.