Switch from SignJwt to GenerateAccessToken |
|||
Issue descriptionLUCI code currently uses SignJwt call [1] to sign claim set using service account's keys. The signed JWT is then sent to /oauth2/v4/token to grab an access token for the service account. There's now a better API that returns a token right away: GenerateAccessToken [2]. We should switch to it. Relevant code: https://chromium.googlesource.com/infra/luci/luci-go/+/5b21993e3e7760662e5f0277d794ffd5def10b69/server/auth/actor.go#101 Looks like the new API supports setting custom token expiration time (/oauth2/v4/token always returned 1h tokens regardless of what is sent in the claim set). Can we also confirm it indeed works (e.g. we can actually get tokens that live for 10 min). It may be useful later to tighten lifetime of tokens we hand out to LUCI tasks. [1] https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt [2] https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken
,
Oct 10
,
Oct 10
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1 commit 7f44c68e2dbf0c790ca78cad3cb0232e428e17c1 Author: Felix Matenaar <fmatenaar@chromium.org> Date: Wed Oct 10 21:28:00 2018 [auth] Use new IAM generateAccessToken API to obtain OAuth tokens Previous code used 2-step flow involving the creating of a JWT for which and OAuth token is then obtained for. New code used generateAccessToken API which takes a service account and scopes as an input and directly generates an OAuth token. R=vadimsh@chromium.org BUG= 891092 Change-Id: Iee50b2c628fb9a967f032dd16c09fa53acfef972 Reviewed-on: https://chromium-review.googlesource.com/c/1266240 Commit-Queue: Felix Matenaar <fmatenaar@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1/auth/internal/iam.go [delete] https://crrev.com/da86e63132f33771ab628b10d2bc8e874cedeccc/common/gcloud/googleoauth/token.go [delete] https://crrev.com/da86e63132f33771ab628b10d2bc8e874cedeccc/common/gcloud/googleoauth/token_test.go [modify] https://crrev.com/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1/common/gcloud/iam/client.go [modify] https://crrev.com/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1/common/gcloud/iam/client_test.go [modify] https://crrev.com/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1/server/auth/actor.go [modify] https://crrev.com/7f44c68e2dbf0c790ca78cad3cb0232e428e17c1/server/auth/actor_test.go
,
Oct 11
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/5280fed9d0aa6d3cfd0fdd273c5753e9eedce02e commit 5280fed9d0aa6d3cfd0fdd273c5753e9eedce02e Author: Felix Matenaar <fmatenaar@chromium.org> Date: Thu Oct 11 18:45:58 2018 [auth] Use IAM:GenerateAccessToken default lifetime if not set in client Added omitempty to GenerateAccessToken Lifetime to force zero duration to use API's 3600s default expiration on generated tokens. R=vadimsh@chromium.org BUG= 891092 Change-Id: Ib8407145536edd28ed331ae77500038e83aa5c87 Reviewed-on: https://chromium-review.googlesource.com/c/1277190 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Felix Matenaar <fmatenaar@chromium.org> [modify] https://crrev.com/5280fed9d0aa6d3cfd0fdd273c5753e9eedce02e/common/gcloud/iam/client.go
,
Oct 12
|
|||
►
Sign in to add a comment |
|||
Comment 1 by fmatenaar@chromium.org
, Oct 8