Similar to useApplicationDefaultCredentials, we should look into enabling Self Signed JWTs by default. Right now this is possible, but only by providing custom credentials, e.g:
use Google\Auth\ApplicationDefaultCredentials;
use Google\Auth\Credentials\ServiceAccountCredentials;
use Google\Client;
// use Application Default Credentials (e.g. the GOOGLE_APPLICATION_CREDENTIALS environment variable)
$credentials = ApplicationDefaultCredentials::makeCredentials();
if ($credentials instanceof ServiceAccountCredentials) {
// ensure that Service Account Credentials use Self-Signed JWT instead
// of making an HTTP request to the OAuth2 server
$credentials->useJwtAccessWithScope();
}
$client = new Client(['credentials' => $credentials]);
The reason that Self-Signed JWT is not default behavior for this library is simply because there are so many APIs (more than 300) that we cannot be confident they will all work as expected with JWTs.
We can at the very least add a feature for a flag or function that enables the SSJWTs, so that you don't need to manually create them as shown above. Something like this, for instance:
// in the constructor
$client = new Google\Client(['use_self_signed_jwt' => true]);
// in a method
$client->useSelfSignedJwt(true);
This would essentially just call useJwtAccessWithScope on the credentials if those credentials are ServiceAccountCredentials. Otherwise it would do nothing.
Similar to
useApplicationDefaultCredentials
, we should look into enabling Self Signed JWTs by default. Right now this is possible, but only by providing custom credentials, e.g:The reason that Self-Signed JWT is not default behavior for this library is simply because there are so many APIs (more than 300) that we cannot be confident they will all work as expected with JWTs.
We can at the very least add a feature for a flag or function that enables the SSJWTs, so that you don't need to manually create them as shown above. Something like this, for instance:
This would essentially just call
useJwtAccessWithScope
on the credentials if those credentials areServiceAccountCredentials
. Otherwise it would do nothing.See https://github.com/google-wallet/rest-samples/issues/112 and https://github.com/googleapis/google-auth-library-php/pull/557 for a full discussion and related feature request.