Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): add universe domain support to idtoken #11059

Merged
merged 30 commits into from
Jan 7, 2025
Merged

feat(auth): add universe domain support to idtoken #11059

merged 30 commits into from
Jan 7, 2025

Conversation

quartzmo
Copy link
Member

@quartzmo quartzmo commented Oct 29, 2024
edited
Loading

Summary

IdToken flow can be done in two ways: 1) OAuth2 server calls or 2) IAM service calls. The majority of implementations went with the OAuth2 server calls. In non-GDU environments, however, there is no OAuth2 server, so the IAM implementation must be used. This is enabled as follows:

  • Move impersonatedIDTokenProvider.Token in auth/credentials/impersonate/idtoken.go to IDTokenIAMOptions.Token in auth/credentials/internal/impersonate/idtoken.go to enable reuse in auth/credentials/idtoken/iam.go.
  • Move formatIAMServiceAccountName in auth/credentials/impersonate/impersonate.go to FormatIAMServiceAccountResource in auth/internal/internal.go, for reuse.
  • In auth/credentials/idtoken/file.go introduce a conditional (resolveUniverseDomain(f) == internal.DefaultUniverseDomain) which if true sustains the existing behavior (auth.New2LOTokenProvider) and if false introduces the new non-GDU behavior in IDTokenIAMOptions.Token

Note that to use the IAM endpoint in a non-GDU environment, the service account must have the iam.serviceAccountTokenCreator role because the service account is not only the target service account, but also the caller; the Oauth2 endpoint doesn’t need this.

@quartzmo quartzmo force-pushed the auth-idtoken-universe-domain branch from ee34736 to 260aaaa Compare October 30, 2024 16:00
@quartzmo quartzmo force-pushed the auth-idtoken-universe-domain branch from 2b32c34 to 06969bb Compare October 30, 2024 16:02
@quartzmo quartzmo marked this pull request as ready for review October 31, 2024 17:01
@quartzmo quartzmo requested a review from a team as a code owner October 31, 2024 17:01
codyoss
codyoss reviewed Oct 31, 2024
View reviewed changes
@quartzmo quartzmo added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Nov 1, 2024
@quartzmo quartzmo removed the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jan 3, 2025
codyoss
codyoss approved these changes Jan 6, 2025
View reviewed changes
Copy link
Member

@codyoss codyoss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM to me overall. Just refactor a little to remove some now unnecessary structs.

@quartzmo quartzmo merged commit 72add7e into googleapis:main Jan 7, 2025
8 checks passed
@quartzmo quartzmo deleted the auth-idtoken-universe-domain branch January 7, 2025 17:20
@release-please release-please bot mentioned this pull request Jan 7, 2025
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Jan 8, 2025
@release-please
chore(main): release auth 0.14.0 (#11325)
b9d92ad 
🤖 I have created a release *beep* *boop*
---


## [0.14.0](https://github.com/googleapis/google-cloud-go/compare/auth/v0.13.0...auth/v0.14.0) (2025-01-08)


### Features

* **auth:** Add universe domain support to idtoken ([#11059](https://github.com/googleapis/google-cloud-go/issues/11059)) ([72add7e](https://github.com/googleapis/google-cloud-go/commit/72add7e9f8f455af695e8ef79212a4bd3122fb3a))


### Bug Fixes

* **auth/oauth2adapt:** Update golang.org/x/net to v0.33.0 ([e9b0b69](https://github.com/googleapis/google-cloud-go/commit/e9b0b69644ea5b276cacff0a707e8a5e87efafc9))
* **auth:** Fix copy of delegates in impersonate.NewIDTokenCredentials ([#11386](https://github.com/googleapis/google-cloud-go/issues/11386)) ([ff7ef8e](https://github.com/googleapis/google-cloud-go/commit/ff7ef8e7ade7171bce3e4f30ff10a2e9f6c27ca0)), refs [#11379](https://github.com/googleapis/google-cloud-go/issues/11379)
* **auth:** Update golang.org/x/net to v0.33.0 ([e9b0b69](https://github.com/googleapis/google-cloud-go/commit/e9b0b69644ea5b276cacff0a707e8a5e87efafc9))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@matgou matgou mentioned this pull request Feb 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codyoss codyoss codyoss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@quartzmo @codyoss