To support a new type of credential: `ExternalAccountAuthorizedUser`
* Refactor the common dependency STS to a separate package.
* Adding the `externalaccountauthorizeduser` package.
Change-Id: I9b9624f912d216b67a0d31945a50f057f747710b
GitHub-Last-Rev: 6e2aaff345711d007f913a7c22dc6da750732938
GitHub-Pull-Request: golang/oauth2#671
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/531095
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Reviewed-by: Alex Eitzman <eitzman@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang
Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9
GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b
GitHub-Pull-Request: golang/oauth2#661
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
Removes URL validation for token_url, service_account_impersonation_url to allow for TPC urls and adds line to the docs to warn users. See https://github.com/googleapis/google-auth-library-nodejs/pull/1517 for same change in node.js library.
Change-Id: I85fa67ee0b99deed2adb75668a1b5501851c499c
GitHub-Last-Rev: 15d7759884817d0f835768bdb5e5b3fa86e8fdbf
GitHub-Pull-Request: golang/oauth2#627
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/465696
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Right now, impersonation tokens used for external accounts have a hardcoded lifetime of 1 hour (3600 seconds), but some of our customers want to be able to adjust this lifetime. These changes (along with others in the gcloud cli) should allow this
Change-Id: I705f83dc2a092d8cdd0fcbfff83b014c220e28bb
GitHub-Last-Rev: 7e0ea92c8ef5f12b4a86ec5b389ff7a2055ad2ab
GitHub-Pull-Request: golang/oauth2#571
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/416797
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This changeset would allow users to specify a command to be run which will return a token
Change-Id: If84cce97c273cdd08ef2010a1693cd813d053ed3
GitHub-Last-Rev: 98f37871caf9f21b5d47f197ef7447f6961f5b47
GitHub-Pull-Request: golang/oauth2#563
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/404114
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
AWS released a new instance metadata service (IMDSv2). IMDSv2 brought a requirement that a session token header is now required on every call to metadata endpoint.
Modify the AWS credential retrieval flow to fetch the session token and send it along with the calls to metadata endpoints
Change-Id: I539912ab38f5e591658b29a1e7a99d2b828a1128
GitHub-Last-Rev: 29e1f4aad1a6a35d9e197c3c48a7d0c1f1401722
GitHub-Pull-Request: golang/oauth2#554
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/390794
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
New credential type supported: "impersonated_service_account".
Extend the "credentialsFile" struct to take into account the credential source for the impersonation.
Reuse of `ImpersonateTokenSource` struct, from `google/internal/externalaccount/Impersonate.go' file. The struct has a package-scope visibility now.
Fixes: #515
Change-Id: I87e213be6d4b6add2d6d82b91b1b38e43a0d2fe4
GitHub-Last-Rev: 14806e6b37a019cbff58e2088ee99191e89b4f7e
GitHub-Pull-Request: golang/oauth2#516
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/344369
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Workforce pools (external account credentials for non-Google users) are
organization-level resources which means that issued workforce pool tokens
will not have any client project ID on token exchange as currently designed.
"To use a Google API, the client must identify the application to the server.
If the API requires authentication, the client must also identify the principal
running the application."
The application here is the client project. The token will identify the user
principal but not the application. This will result in APIs rejecting requests
authenticated with these tokens.
Note that passing a x-goog-user-project override header on API request is
still not sufficient. The token is still expected to have a client project.
As a result, we have extended the spec to support an additional
workforce_pool_user_project for these credentials (workforce pools) which will
be passed when exchanging an external token for a Google Access token. After the
exchange, the issued access token will use the supplied project as the client
project. The underlying principal must still have serviceusage.services.use
IAM permission to use the project for billing/quota.
This field is not needed for flows with basic client authentication (e.g. client
ID is supplied). The client ID is sufficient to determine the client project and
any additionally supplied workforce_pool_user_project value will be ignored.
Note that this feature is not usable yet publicly.
Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0
GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4
GitHub-Pull-Request: golang/oauth2#520
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Bassam Ojeil <bojeil@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
If times are stored in different time zones, then we occasionally get heisenbugs about expired tokens
Change-Id: I0c117977688d8d6c7b12b211092e5040a41a1f46
GitHub-Last-Rev: 3ff51b34f58e0bde7946af59e1215b7d3db65a95
GitHub-Pull-Request: golang/oauth2#482
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/300929
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Not strictly necessary but will avoid spurious changes
as files are edited.
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: I22803ea9e936fbb08984a64155302f47e181de27
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/294420
Trust: Russ Cox <rsc@golang.org>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
These structs and funcs cannot be used by the end consumer. Unexporting them helps cleans up our documentation
Change-Id: I2eadb69e87de912ac39f53e83cd9bdfe76a15e3e
GitHub-Last-Rev: 60b58eef7558b7e1ccf7a07794668b0b25e99d9e
GitHub-Pull-Request: golang/oauth2#479
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/293752
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
I found some errors while manually testing service account impersonation on Azure. This PR includes the fixes that I made.
Change-Id: Ia2b194be6c9a7c843e615f9789c8f8203bcbc151
GitHub-Last-Rev: 56907163634bb65457c12320b4081e919cfbbcb2
GitHub-Pull-Request: golang/oauth2#475
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/291209
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Adds support for service account impersonation when a URL for service account impersonation is provided.
Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8
GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668
GitHub-Pull-Request: golang/oauth2#468
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials.
Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7
GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b
GitHub-Pull-Request: golang/oauth2#462
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
