feat: allow scopes for self signed jwt (#776)
* feat: allow scopes for self signed jwt
* Update service_account.py
* add http changes
* Update google/auth/jwt.py
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index 892f3a8..e9f4f69 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -525,8 +525,9 @@
"sub": self._subject,
"iat": _helpers.datetime_to_secs(now),
"exp": _helpers.datetime_to_secs(expiry),
- "aud": self._audience,
}
+ if self._audience:
+ payload["aud"] = self._audience
payload.update(self._additional_claims)
diff --git a/google/auth/transport/grpc.py b/google/auth/transport/grpc.py
index 04c0f4f..c47cb3d 100644
--- a/google/auth/transport/grpc.py
+++ b/google/auth/transport/grpc.py
@@ -79,12 +79,9 @@
# Attempt to use self-signed JWTs when a service account is used.
# A default host must be explicitly provided since it cannot always
# be determined from the context.service_url.
- if (
- isinstance(self._credentials, service_account.Credentials)
- and self._default_host
- ):
+ if isinstance(self._credentials, service_account.Credentials):
self._credentials._create_self_signed_jwt(
- "https://{}/".format(self._default_host)
+ "https://{}/".format(self._default_host) if self._default_host else None
)
self._credentials.before_request(
diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py
index d317544..a4784b3 100644
--- a/google/auth/transport/requests.py
+++ b/google/auth/transport/requests.py
@@ -358,13 +358,9 @@
# https://google.aip.dev/auth/4111
# Attempt to use self-signed JWTs when a service account is used.
- # A default host must be explicitly provided.
- if (
- isinstance(self.credentials, service_account.Credentials)
- and self._default_host
- ):
+ if isinstance(self.credentials, service_account.Credentials):
self.credentials._create_self_signed_jwt(
- "https://{}/".format(self._default_host)
+ "https://{}/".format(self._default_host) if self._default_host else None
)
def configure_mtls_channel(self, client_cert_callback=None):
diff --git a/google/auth/transport/urllib3.py b/google/auth/transport/urllib3.py
index aadd116..6a2504d 100644
--- a/google/auth/transport/urllib3.py
+++ b/google/auth/transport/urllib3.py
@@ -293,13 +293,9 @@
# https://google.aip.dev/auth/4111
# Attempt to use self-signed JWTs when a service account is used.
- # A default host must be explicitly provided.
- if (
- isinstance(self.credentials, service_account.Credentials)
- and self._default_host
- ):
+ if isinstance(self.credentials, service_account.Credentials):
self.credentials._create_self_signed_jwt(
- "https://{}/".format(self._default_host)
+ "https://{}/".format(self._default_host) if self._default_host else None
)
super(AuthorizedHttp, self).__init__()
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
index 1ccfa19..dd36589 100644
--- a/google/oauth2/service_account.py
+++ b/google/oauth2/service_account.py
@@ -131,6 +131,7 @@
project_id=None,
quota_project_id=None,
additional_claims=None,
+ always_use_jwt_access=False,
):
"""
Args:
@@ -149,6 +150,8 @@
billing.
additional_claims (Mapping[str, str]): Any additional claims for
the JWT assertion used in the authorization grant.
+ always_use_jwt_access (Optional[bool]): Whether self signed JWT should
+ be always used.
.. note:: Typically one of the helper constructors
:meth:`from_service_account_file` or
@@ -165,6 +168,7 @@
self._project_id = project_id
self._quota_project_id = quota_project_id
self._token_uri = token_uri
+ self._always_use_jwt_access = always_use_jwt_access
self._jwt_credentials = None
@@ -266,6 +270,30 @@
project_id=self._project_id,
quota_project_id=self._quota_project_id,
additional_claims=self._additional_claims.copy(),
+ always_use_jwt_access=self._always_use_jwt_access,
+ )
+
+ def with_always_use_jwt_access(self, always_use_jwt_access):
+ """Create a copy of these credentials with the specified always_use_jwt_access value.
+
+ Args:
+ always_use_jwt_access (bool): Whether always use self signed JWT or not.
+
+ Returns:
+ google.auth.service_account.Credentials: A new credentials
+ instance.
+ """
+ return self.__class__(
+ self._signer,
+ service_account_email=self._service_account_email,
+ scopes=self._scopes,
+ default_scopes=self._default_scopes,
+ token_uri=self._token_uri,
+ subject=self._subject,
+ project_id=self._project_id,
+ quota_project_id=self._quota_project_id,
+ additional_claims=self._additional_claims.copy(),
+ always_use_jwt_access=always_use_jwt_access,
)
def with_subject(self, subject):
@@ -288,6 +316,7 @@
project_id=self._project_id,
quota_project_id=self._quota_project_id,
additional_claims=self._additional_claims.copy(),
+ always_use_jwt_access=self._always_use_jwt_access,
)
def with_claims(self, additional_claims):
@@ -315,6 +344,7 @@
project_id=self._project_id,
quota_project_id=self._quota_project_id,
additional_claims=new_additional_claims,
+ always_use_jwt_access=self._always_use_jwt_access,
)
@_helpers.copy_docstring(credentials.CredentialsWithQuotaProject)
@@ -330,6 +360,7 @@
project_id=self._project_id,
quota_project_id=quota_project_id,
additional_claims=self._additional_claims.copy(),
+ always_use_jwt_access=self._always_use_jwt_access,
)
def _make_authorization_grant_assertion(self):
@@ -386,8 +417,22 @@
audience (str): The service URL. ``https://[API_ENDPOINT]/``
"""
# https://google.aip.dev/auth/4111
- # If the user has not defined scopes, create a self-signed jwt
- if not self.scopes:
+ if self._always_use_jwt_access:
+ if self._scopes:
+ self._jwt_credentials = jwt.Credentials.from_signing_credentials(
+ self, None, additional_claims={"scope": " ".join(self._scopes)}
+ )
+ elif audience:
+ self._jwt_credentials = jwt.Credentials.from_signing_credentials(
+ self, audience
+ )
+ elif self._default_scopes:
+ self._jwt_credentials = jwt.Credentials.from_signing_credentials(
+ self,
+ None,
+ additional_claims={"scope": " ".join(self._default_scopes)},
+ )
+ elif not self._scopes and audience:
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, audience
)