Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix wrong scopes for self signed jwt #935

Merged
merged 2 commits into from
Jun 28, 2021
Merged

fix: fix wrong scopes for self signed jwt #935

merged 2 commits into from
Jun 28, 2021

Conversation

arithmetic1728
Copy link
Collaborator

@arithmetic1728 arithmetic1728 commented Jun 26, 2021

Fixes: #929

When auth library creates self signed jwt, it looks for scopes, audience and default_scopes in order, and uses the first one available.

In the transport base class, we are using self.AUTH_SCOPES as scopes if scopes are not provided. This is not right.

This is not right since self.AUTH_SCOPES should be only used as default_scopes. self.AUTH_SCOPES may contain only a generic "https://www.googleapis.com/auth/cloud-platform" scope, for instance for all the failed APIs listed in this issue. If it is used as scopes in self signed jwt, the samples may fail with invalid scopes. For the success APIs, the AUTH_SCOPES of kms contains an additional https://www.googleapis.com/auth/cloudkms scope so it has no problem; the other two API are mysterious to me since they are using the same generic scope in AUTH_SCOPES as the failed APIs.

The fix is simple. We just need to change self._scopes = scopes or self.AUTH_SCOPES to self._scopes = scopes in the transport base class. Note that self.AUTH_SCOPES is already passed to grpc channel as default_scopes.

return grpc_helpers.create_channel(
host,
credentials=credentials,
credentials_file=credentials_file,
quota_project_id=quota_project_id,
default_scopes=cls.AUTH_SCOPES,
scopes=scopes,
default_host=cls.DEFAULT_HOST,
**kwargs
)

I tested the PR for all the failed APIs, now all the samples passed (I didn't update the unit test, so kokoro would fail in these PRs):
googleapis/python-speech#189
googleapis/python-asset#215
googleapis/python-videointelligence#171
googleapis/python-analytics-data#95

I also tested the secret_manager and automl APIs, their samples still pass with this fix.
googleapis/python-secret-manager#141
googleapis/python-automl#179

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

403 permission denied errors in some libraries with always_use_jwt_access = True
2 participants