feat(auth): add universe domain support to idtoken #11059
+451
−138
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
quartzmo
force-pushed
the
auth-idtoken-universe-domain
branch
from
ee34736 to
260aaaa
Compare
quartzmo
force-pushed
the
auth-idtoken-universe-domain
branch
from
2b32c34 to
06969bb
Compare
codyoss
reviewed
Oct 30, 2024
codyoss
reviewed
Oct 31, 2024
quartzmo
added
the
do not merge
quartzmo
removed
the
do not merge
codyoss
approved these changes
Jan 6, 2025
| // This TokenProvider is primarily intended for use in non-GDU universes, which | ||
| // do not have access to the oauth2.googleapis.com/token endpoint, and thus must | ||
| // use IAM generateIdToken instead. | ||
| type iamIDTokenProvider struct { |
There was a problem hiding this comment.
I think this struct can go away completely. should now be able to use impersonate.IDTokenIAMOptions directly.
| type impersonatedIDTokenProvider struct { | ||
| client *http.Client | ||
| logger *slog.Logger | ||
| client *http.Client |
There was a problem hiding this comment.
Same with my other comment, this structure should go away in favor of the common code
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
IdToken flow can be done in two ways: 1) OAuth2 server calls or 2) IAM service calls. The majority of implementations went with the OAuth2 server calls. In non-GDU environments, however, there is no OAuth2 server, so the IAM implementation must be used. This is enabled as follows:
impersonatedIDTokenProvider.Tokeninauth/credentials/impersonate/idtoken.gotoIDTokenIAMOptions.Tokeninauth/credentials/internal/impersonate/idtoken.goto enable reuse inauth/credentials/idtoken/iam.go.formatIAMServiceAccountNameinauth/credentials/impersonate/impersonate.gotoFormatIAMServiceAccountResourceinauth/internal/internal.go, for reuse.auth/credentials/idtoken/file.gointroduce a conditional (resolveUniverseDomain(f) == internal.DefaultUniverseDomain) which if true sustains the existing behavior (auth.New2LOTokenProvider) and if false introduces the new non-GDU behavior inIDTokenIAMOptions.TokenNote that to use the IAM endpoint in a non-GDU environment, the service account must have the
iam.serviceAccountTokenCreatorrole because the service account is not only the target service account, but also the caller; the Oauth2 endpoint doesn’t need this.