Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Google JSON credentials to the service_account type. #16003

Merged
merged 3 commits into from
Sep 1, 2022
Merged

Restrict Google JSON credentials to the service_account type. #16003

merged 3 commits into from
Sep 1, 2022

Conversation

espadolini
Copy link
Contributor

Because of golang/oauth2#583, it's possible to get a panic when trying to use a Google Developers Console client_credentials.json (like the one that gets helpfully suggested for download when creating a OAuth client ID, like what happened in #15608).

Going through the code of golang.org/x/oauth2/google.CredentialsFromJSONWithParams I realized that we have also allowed other credential types that don't support domain-wide delegation at all (the params.Subject parameter is completely ignored) and would thus lead to a broken setup anyway, so if we restrict ourselves to just the service_account type we will work around the panic bug while giving out an understandable google: read JWT from JSON credentials: 'type' field is "other_type" (expected "service_account") error in the auth logs.

@espadolini espadolini mentioned this pull request Aug 31, 2022
Closed
@espadolini espadolini enabled auto-merge (squash) September 1, 2022 08:38
@espadolini
Copy link
Contributor Author

Of note: we have been using google.JWTConfigFromJSON until #9697 (where we started using google.CredentialsFromJSON), and we're still using it in v7, so very old auth connectors are not going to be affected by this change.

@espadolini espadolini merged commit c5c2b5d into master Sep 1, 2022
@github-actions
Copy link

github-actions bot commented Sep 1, 2022

@espadolini See the table below for backport results.

Branch Result
branch/v10 Create PR
branch/v8 Create PR
branch/v9 Create PR

This was referenced Sep 1, 2022
Merged
Merged
Merged
@espadolini espadolini deleted the espadolini/oauth2-panic-fix-redux branch September 1, 2022 14:07
@espadolini espadolini mentioned this pull request Sep 2, 2022
Closed
capnspacehook pushed a commit that referenced this pull request Sep 12, 2022
@espadolini @capnspacehook
Restrict Google JSON creds to service_account (#16003)
c80fc3b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@espadolini @zmb3 @rosstimothy