fix: Invalidate the SA's AccessToken when createScoped() is called #1489
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
suztomo
reviewed
Aug 30, 2024
zhumin8
approved these changes
Sep 3, 2024
oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
Outdated
Show resolved
Hide resolved
|
zhumin8
added a commit
that referenced
this pull request
Oct 18, 2024
…verse domain (#1528) for context: b/340602527 Changes in this pr: - Override `getUniverseDomain()` to grab source credentials’s universe domain (UD) by default. Always use source credentials UD, not explicit provided UD. (In current design, impersonated credentials may not have universe domain in the outer layer. relay on UD from source credential. This may change in future) - Fix `isDefaultUniverseDomain()` in `GoogleCredentials` to account for `getUniverseDomain()` overrides in child classes. - In refreshAccessToken(), use endpoint url pattern to account for TPC case. - note that I choose to bypass this refreshIfExpired step because it wrongly steps into code path meant only for OAuth2 token request (GDU flow). Filed #1534 to address this separately. But for GDU flow here, this refresh step is redundant because the SSJ will get re-generated at [initialize request](https://github.com/googleapis/google-auth-library-java/blob/a987ecd06fd25a0048cdb3da6d1df4d029d85d79/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java#L558). Also skip this step for SA GDU with SSJ flow. - Throw IllegalStateException if UD is explicitly set (with parent class setter) and not matching source credential's UD - Fix toBuilder() to invoke super, and fix related issue with createScoped. (see #1489, #1428); Also fix equals() to compare super first. Not in this pr: - idtoken and signBlob endpoint changes are out-of-scope for this pr, will raise separate pr for it. sa-to-sa impersonation is successfully E2E tested for TPC usage according to [go/prptst-testing-service-account-impersonation](http://goto.google.com/prptst-testing-service-account-impersonation). --------- Co-authored-by: Blake Li <blakeli@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See b/353616562 for more information. This seems to be a very similar issue to #1387.
Invalidating the Access Token via
setAccessToken(null)fromcreateScoped(...)should not break any existing workflows. Copying the existing Access Token while modifying the interval fields that make up the Credentials is a regression in behavior that was introduced in v1.14.0 of the Auth-Library.Example flow for the current state (pseudocode):
Without this change, users would be recieving a 403 Access Denied error message. This change to invalidate the access token would force the auth library to retrieve a new valid access token.
Example flow for the new state (pseudocode):