search

googleapis / google-auth-library-java

Open source Auth client library for Java
https://developers.google.com/identity
BSD 3-Clause "New" or "Revised" License
405 stars 218 forks source link

AppEngineCredential depends on legacy bundled service #1384

Open yonghaoy opened 2 months ago

yonghaoy commented 2 months ago

Hello, we are upgrading GAE from Java 8 to 11 and also trying to get ride of legacy bundled service .

Here is how we generate default AccessToken today. 

GoogleCredentials credentials = AppEngineCredentials.newBuilder().setScopes(scopes).setAppIdentityService(AppIdentityServiceFactory.getAppIdentityService()).build();

The reason we do it this way is because if using GoogleCredentials.getDefaulCredential, because the call to .createScoped will silently proceed by doing nothing?

Question: 1: How to use AppEngineCredentials without turning on legacy bundle? Because I get feature not enabled error when calling without turning it on 2: Do we still need to include appengine-sdk1.0 in our dependency? As those imports are there:

import com.google.appengine.api.appidentity.AppIdentityService;
import com.google.appengine.api.appidentity.AppIdentityService.GetAccessTokenResult;
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;

Thanks

yonghaoy commented 2 months ago

And why GoogleCredentials.getDefaulCredential does not work, I suspect it's related with https://github.com/googleapis/google-auth-library-java/issues/1274

arithmetic1728 commented 2 months ago

I guess you meant GoogleCredentials.getApplicationDefault method.

From the code, it looks like createScoped should work with GoogleCredentials.getApplicationDefault, if it returns an app engine credentials.

The getApplicationDefault code to get app engine cred: https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L197-L199

App engine code to add scopes: https://github.com/googleapis/google-auth-library-java/blob/main/appengine/java/com/google/auth/appengine/AppEngineCredentials.java#L94

For the Java specific question, I will leave it to our Java expert.

yonghaoy commented 2 months ago

createScoped does not work after upgrading from 1.11 to 1.24. I suspect that is similar to https://github.com/googleapis/google-auth-library-java/issues/1274...

For now, we have to bring back legacy service and use the old way to get a token that with scopes. https://github.com/all-of-us/workbench/blob/727be385a0c5b3895ddf8650c4900aef4875a278/api/src/main/java/org/pmiops/workbench/auth/ServiceAccounts.java#L39L53

yonghaoy commented 2 months ago

Also for the code you pointed above: https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L197-L199 seems it only works for GAE 7 standard env? Is that right?