fix(auth): allow self-signed JWT for non-GDU universe domain #10831
Conversation
auth/grpctransport/grpctransport.go
Outdated
| @@ -130,7 +130,7 @@ func (o *Options) resolveDetectOptions() *credentials.DetectOptions { | |||
| do := transport.CloneDetectOptions(o.DetectOpts) | |||
|
|
|||
| // If scoped JWTs are enabled user provided an aud, allow self-signed JWT. | |||
| if (io != nil && io.EnableJWTWithScope) || do.Audience != "" { | |||
| if (io != nil && io.EnableJWTWithScope) || do.Audience != "" || !o.isUniverseDomainGDU() { | |||
There was a problem hiding this comment.
It is not clear to me this is the desired behavior. If a scope or auth is not present you can't really make a valid self-signed JWT. Instead of saying if nonGDU assume self-signed, maybe we should validate that it will be a self-signed JWT?
There was a problem hiding this comment.
I found the original logic from the previous auth. This logic may also be flawed, but it looks to me that it only validates 1) non-GDU and 2) service account.
There was a problem hiding this comment.
yeah, to me that looks flawed too. I think we could make this change. But does it fix any bug? If it does fix a real use case I am fine with it, but it is not clear to me that it does.
There was a problem hiding this comment.
I'll try to move this logic to a later stage at which 2) service account can be determined.
There was a problem hiding this comment.
Even if it is a service account, you need a scope or an aud for the JWT. Do you have a use-case to test this against?
There was a problem hiding this comment.
Can theInternalOptions.DefaultScopes be used?
There was a problem hiding this comment.
Only if jwtscope is enabled. Iirc not all apis support scoped JWTs. Aud JWTs work for anything though I believe.
There was a problem hiding this comment.
I'll see if I can get some info about how self-signed JWTs are intended to be used with universe domain.
There was a problem hiding this comment.
My understanding is that non-GDU participating services must support self-signed JWTs, and my best guess is that the default scope(s) are good enough.
|
Manual testing in the PRPTST environment using SA JSON with package main
import (
"context"
"log"
"google.golang.org/api/compute/v1"
"google.golang.org/api/option"
)
func main() {
ctx := context.Background()
tpcUniverse := "apis-tpczero.goog"
computeService, err := compute.NewService(ctx, option.WithUniverseDomain(tpcUniverse), option.WithCredentialsFile("/Users/chrisdsmith/sa_keys/prptst.json"))
if err != nil {
log.Fatalf("[WARN] Error creating client compute: %s", err)
}
log.Printf("[INFO] Requesting instance creation")
call, err := computeService.Instances.List("tpczero-system:bootstrap-libraries", "u-us-prp1-a").Do()
if err != nil {
log.Fatalf("[WARN] Error listing instances: %v", err)
}
log.Printf("[INFO] List instances operation: %d", len(call.Items))
}➜ compute-apiary-ud-new-auth git:(main) ✗ go run main.go
2024/09/06 12:29:40 [INFO] Requesting instance creation
2024/09/06 12:29:41 [INFO] List instances operation: 3 |
| if opts.UseSelfSignedJWT { | ||
| return configureSelfSignedJWT(f, opts) | ||
| } else if ud != "" && ud != internalauth.DefaultUniverseDomain { | ||
| // For non-GDU universe domains, token exchange is impossible and services |
There was a problem hiding this comment.
this can now become
opts.UseSelfSignedJWT |= ud != "" && ud != internalauth.DefaultUniverseDomain
No description provided.