Do we really need Client.check_metadata_scope?

[dazuma]

Goth.Client.check_metadata_scope checks to see if the requested scope is declared with the service account token provided by the metadata service, and errors out if not. But I don't think a straight string comparison does the right thing, because some scopes imply others.

For example, I'm trying to run an app in an App Engine VM. By default, GAE instance service accounts don't provide the https://www.googleapis.com/auth/datastore scope explicitly, but do instead provide https://www.googleapis.com/auth/cloud-platform which is kind of a catch-all that includes datastore. Since Diplomat requests https://www.googleapis.com/auth/datastore specifically, it's failing the check_metadata_scope test, even though the scope is actually valid.

I suspect we should just omit the check. If the metadata-provided token has insufficient scopes, the downstream services will check for us.

[peburrows]

That's a great point. Looking at the code, I'm not sure I remember why I felt the need to validate the scope. Let me dig into this a bit more, but I'm thinking you're right and we should just omit the check altogether (plus, you'd be the expert here anyway 😂).

[dazuma]

I saw the commit for this. Thanks!