-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support universe domain in service account and metadata credentials #482
Conversation
@@ -164,7 +164,7 @@ public function __construct( | |||
]); | |||
|
|||
$this->projectId = $jsonKey['project_id'] ?? null; | |||
$this->universeDomain = $jsonKey['universe_domain'] ?? null; | |||
$this->universeDomain = $jsonKey['universe_domain'] ?? self::DEFAULT_UNIVERSE_DOMAIN; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also throw in case there's domain-delegation
?
I am not very sure but it appears that we need to throw (near line#146) in case sub
as well as universe_domain
is set in the key, as per AL9 of the universe domain spec
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for catching this, I completely missed it. PHP definitely supports domain-delegation
google-auth-library-php/src/Credentials/ServiceAccountCredentials.php
Lines 114 to 115 in b687d5e
* @param string $sub an email address account to impersonate, in situations when | |
* the service account has been delegated domain wide access. |
I'll look more into it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm, approving since there are no major comments.
Tests:
-
I tested the changes on
apis-tpclp.goog
universe domain and validated thatServiceAccountCredentials
generates a valid access_token while using the provided universe domain value. -
I was also able to query the compute instances in the project on the URL:
https://compute.apis-tpclp.goog/compute/staging_v1/<more params>
, which captures the universe domain in the endpoint. -
When I use the access token generated in step#1, and use the regular compute api:
https://compute.googleapis.com/compute/staging_v1/<more params>
I see an expected failure with error code 401 and statusUNAUTHENTICATED
:
Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Requirements
Authentication libraries must add the universe_domain property to the token authentication credentials constructor (if supported) and document the default behaviorNot applicable unless we add an Access Token credential typegoogleapis.com
googleapis.com
IdToken
flow for Service Accounts when authenticating outsidegoogleapis.com
or throw an exceptionDependencies