fix: fix wrong scopes for self signed jwt #935
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #929
When auth library creates self signed jwt, it looks for
scopes
,audience
anddefault_scopes
in order, and uses the first one available.In the transport base class, we are using
self.AUTH_SCOPES
asscopes
ifscopes
are not provided. This is not right.gapic-generator-python/gapic/templates/%namespace/%name_%version/%sub/services/%service/transports/base.py.j2
Line 114 in ceb64d9
This is not right since
self.AUTH_SCOPES
should be only used asdefault_scopes
.self.AUTH_SCOPES
may contain only a generic"https://www.googleapis.com/auth/cloud-platform"
scope, for instance for all the failed APIs listed in this issue. If it is used asscopes
in self signed jwt, the samples may fail with invalid scopes. For the success APIs, theAUTH_SCOPES
of kms contains an additionalhttps://www.googleapis.com/auth/cloudkms
scope so it has no problem; the other two API are mysterious to me since they are using the same generic scope inAUTH_SCOPES
as the failed APIs.The fix is simple. We just need to change
self._scopes = scopes or self.AUTH_SCOPES
toself._scopes = scopes
in the transport base class. Note thatself.AUTH_SCOPES
is already passed to grpc channel asdefault_scopes
.gapic-generator-python/gapic/templates/%namespace/%name_%version/%sub/services/%service/transports/grpc.py.j2
Lines 208 to 217 in ceb64d9
I tested the PR for all the failed APIs, now all the samples passed (I didn't update the unit test, so kokoro would fail in these PRs):
googleapis/python-speech#189
googleapis/python-asset#215
googleapis/python-videointelligence#171
googleapis/python-analytics-data#95
I also tested the secret_manager and automl APIs, their samples still pass with this fix.
googleapis/python-secret-manager#141
googleapis/python-automl#179