search

pydata / pydata-google-auth

A package providing helpers for authenticating to Google APIs.
https://pydata-google-auth.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
37 stars 17 forks source link

Works only for some scopes #49

Open martindurant opened 2 years ago

martindurant commented 2 years ago

The following line works OK for me to get credentials for gdrive:

pydata_google_auth.get_user_credentials(
    ["https://www.googleapis.com/auth/drive"])

but the following line 

pydata_google_auth.get_user_credentials(
    ["https://www.googleapis.com/auth/devstorage.read_write"])

results in

Screen Shot 2021-11-19 at 15 25 57

(same for "read_only" or "full_control").

Ref: https://github.com/fsspec/gcsfs/issues/261

tswast commented 2 years ago

I'll see what I can do to get the app re-verified for this scope.

FWIW, I'd expect https://www.googleapis.com/auth/cloud-platform scope to work which provides a similar level of access.

martindurant commented 2 years ago

Isn't that a much broader level of permission? Have you seen that scope working?

tswast commented 2 years ago

I'm not sure how much broader it is. It's actually quite difficult to verify what access is and isn't granted with regards to scopes. For this reason, Google Cloud hasn't introduced new scopes in a long time. You'll notice that most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform or https://www.googleapis.com/auth/cloud-platform.read-only.

For applications that require narrow permissions service accounts with limited IAM permissions are the expected way to limit access. There's a little "delegated request permissions with short-lived token" dance you can do to exchange one kind of credentials for the credentials of a service account with limited permissions. https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated

tswast commented 2 years ago

That all said, I can request "https://www.googleapis.com/auth/devstorage.read_write" permissions for the pydata-google-auth app. I'll just need to provide sufficient justification and check that our privacy policy is up-to-date.

martindurant commented 2 years ago

most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform

That's probably good enough for me

tswast commented 2 years ago

Looks like I need to re-submit for verification anyway. Somehow it lost it.

martindurant commented 2 years ago

Please let me know when this happens.