googleapis / google-auth-library-java Goto Github PK
View Code? Open in Web Editor NEWOpen source Auth client library for Java
Home Page: https://developers.google.com/identity
License: BSD 3-Clause "New" or "Revised" License
Open source Auth client library for Java
Home Page: https://developers.google.com/identity
License: BSD 3-Clause "New" or "Revised" License
The DefaultCredentialProvider
in google-api-java-client
allows for specifying the GCE metadata server address using the GCE_METADATA_HOST
environment variable.
The golang google cloud library seems to offer the same capability.
https://godoc.org/cloud.google.com/go/compute/metadata#Get
It would be useful if google-auth-library-java
supported this as well.
The commit implementing this in google-api-java-client
: googleapis/google-api-java-client@7bb680f
I am writing the below code to connect to a Pub-Sub Subscriber.
ServiceAccountCredentials servicecreds= ServiceAccountCredentials.fromStream(new FileInputStream("*.json"));
CredentialsProvider creds= FixedCredentialsProvider.create(servicecreds);
subscriber=Subscriber.newBuilder(subscription, new MessageReceiverExample()).setCredentialsProvider(creds).build();
I am getting "UnAuthenticatedException" when i am Trying to Listen via Subscriber. The code works if i use defaultApplicationCredentials(). But my requirement needs me to connect via the json file and not set Environment Variables.
Hi,
I am trying to check whether a google big query table exists.
I instantiated Credentials object as follows:
Credentials c = new ServiceAccountJwtAccessCredentials(
"client ID",
"client email",
privateKey,
"private key id");
BigQueryOptions bqo = BigQueryOptions
.newBuilder()
.setCredentials(c)
.setProjectId("project ID")
.build();
BigQuery bq = bqo.getService();
TableId id = TableId.of("dataset name", "table name");
Table t = bq.getTable(id);
System.out.println("table exists()? : " + t.exists());
I am getting the following exception:
Exception in thread "main" com.google.cloud.bigquery.BigQueryException: JwtAccess requires Audience uri to be passed in or the defaultAudience to be specified
at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.translate(HttpBigQueryRpc.java:86)
at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.getTable(HttpBigQueryRpc.java:227)
at com.google.cloud.bigquery.BigQueryImpl$11.call(BigQueryImpl.java:378)
at com.google.cloud.bigquery.BigQueryImpl$11.call(BigQueryImpl.java:375)
at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:94)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:54)
at com.google.cloud.bigquery.BigQueryImpl.getTable(BigQueryImpl.java:375)
at com.syed.googlecloudstorage.InstantiateStorage.doSecondJob(InstantiateStorage.java:147)
at com.syed.googlecloudstorage.InstantiateStorage.main(InstantiateStorage.java:131)
Caused by: java.io.IOException: JwtAccess requires Audience uri to be passed in or the defaultAudience to be specified
at com.google.auth.oauth2.ServiceAccountJwtAccessCredentials.getRequestMetadata(ServiceAccountJwtAccessCredentials.java:257)
at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:96)
at com.google.cloud.http.HttpTransportOptions$1.initialize(HttpTransportOptions.java:157)
at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:300)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.getTable(HttpBigQueryRpc.java:225)
... 7 more
Any clues? Can somebody help me on what possible values I can supply for audience uri? Any steps to know that? Please.
The implementation of ComputeEngineCredentials
does not support scope, which makes ComputeEngineCredential.createScoped
not attach scope as expected. This is causing working with Drive scopes on GAE java8 and GCE receiving errors (e.g. this BigQuery auth issue) . Consider add support for scope in ComputeEngineCredentials
.
With GAE java 8 standard runtime, GCE metadata server is used to retrieve credentials. However, unlike google.appengine.api.app_identity.sign_blob()
, metadata sever is not able to sign GCS blob (discussion captured here and here). It seems the timeline for metadata server to enable signing is not clear. This currently blocks java storage client library to run on GAE java 8 standard (googleapis/google-cloud-java#2629). Auth lib should implement IAM signer to provide workaround (as python auth lib did: googleapis/google-auth-library-python#108)
Exception in thread "main" java.io.IOException: The Application Default Credentials are not available. They are available if running on Google App Engine, Google Compute Engine, or Google Cloud Shell. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
at com.google.api.client.googleapis.auth.oauth2.DefaultCredentialProvider.getDefaultCredential(DefaultCredentialProvider.java:98)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.getApplicationDefault(GoogleCredential.java:213)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.getApplicationDefault(GoogleCredential.java:191)
at com.google.cloud.vision.samples.label.LabelApp.getVisionService(LabelApp.java:100)
at com.google.cloud.vision.samples.label.LabelApp.main(LabelApp.java:73)
BUILD FAILURE
An access token can become invalid separately from its expiration time due a clock mismatch or other scenarios. If a request fails because the access token is invalid, the adapter should call refresh() to discard the token and retry the request a single time. See google-api-java-client for a reference implementation.
I get this error:
Error:(1, 0) You appear to have guava-jdk5 on your project buildScript or buildSrc classpath.
This is likely a transitive dependency of another gradle plugin.Run the buildEnvironment task to find out more.
See https://issuetracker.google.com/38419426#comment8 for a workaround.
Open File
My build.gradle is:
apply plugin: 'com.android.application'
apply plugin: 'org.greenrobot.greendao'
apply plugin: 'com.google.firebase.firebase-crash'
apply plugin: 'me.tatarka.retrolambda'
android {
compileSdkVersion 25
buildToolsVersion "25.0.2"
defaultConfig {
applicationId "com.digitaldna.courier"
minSdkVersion 16
targetSdkVersion 25
versionCode 3
versionName "1.3"
testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
multiDexEnabled true
}
signingConfigs {
debug {
storeFile file("./debug.keystore")
storePassword "android"
keyAlias "androiddebugkey"
keyPassword "android"
}
release {
storeFile file("./debug.keystore")
storePassword "android"
keyAlias "androiddebugkey"
keyPassword "android"
}
}
buildTypes {
debug {
applicationIdSuffix ".debug"
minifyEnabled false
debuggable true
signingConfig signingConfigs.debug
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
buildConfigField "String", "ENDPOINT", '"https://beta-api.1temiz.com"'
}
stage {
applicationIdSuffix ".stage"
minifyEnabled false
debuggable true
signingConfig signingConfigs.debug
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
buildConfigField "String", "ENDPOINT", '"https://api.1temiz.com"'
}
release {
applicationIdSuffix ".prod"
minifyEnabled true
debuggable false
signingConfig signingConfigs.release
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
buildConfigField "String", "ENDPOINT", '"https://api.1temiz.com"'
}
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
// for jenkins
packagingOptions {
exclude 'META-INF/NOTICE' // It is not include NOTICE file
exclude 'META-INF/LICENSE' // It is not include LICENSE file
}
// for jenkins
lintOptions {
abortOnError false
}
}
dependencies {
def supportLibraryVersion = "25.2.0"
def retrofitVersion = "2.1.0"
def playService = '10.2.0'
def jacksonVersion = "2.8.6"
compile fileTree(dir: 'libs', include: ['*.jar'])
androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', {
exclude group: 'com.android.support', module: 'support-annotations'
})
testCompile 'junit:junit:4.12'
// support library
compile "com.android.support:appcompat-v7:$supportLibraryVersion"
compile "com.android.support:design:$supportLibraryVersion"
compile "com.android.support:support-v4:$supportLibraryVersion"
compile "com.android.support:cardview-v7:$supportLibraryVersion"
// retrofit
compile "com.squareup.retrofit2:retrofit:$retrofitVersion"
compile "com.squareup.retrofit2:converter-jackson:$retrofitVersion"
compile "com.squareup.retrofit2:adapter-rxjava:$retrofitVersion"
// Jackson
compile "com.fasterxml.jackson.core:jackson-core:$jacksonVersion"
compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion"
compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion"
compile 'com.squareup.okhttp3:logging-interceptor:3.3.0'
// rxjava
compile 'io.reactivex:rxjava:1.1.6'
compile 'io.reactivex:rxandroid:1.2.1'
compile 'com.artemzin.rxjava:proguard-rules:1.1.0.0'
// glide
compile 'com.github.bumptech.glide:glide:3.7.0'
compile 'jp.wasabeef:glide-transformations:2.0.1'
// play services
compile "com.google.android.gms:play-services-base:$playService"
compile "com.google.android.gms:play-services-location:$playService"
//firebase
compile "com.google.firebase:firebase-core:$playService"
compile "com.google.firebase:firebase-crash:$playService"
compile "com.google.firebase:firebase-messaging:$playService"
compile "com.google.firebase:firebase-appindexing:$playService"
compile 'com.firebase:firebase-jobdispatcher:0.5.2'
// multidex
compile 'com.android.support:multidex:1.0.1'
// stetho
compile 'com.facebook.stetho:stetho:1.4.2'
// google maps
compile "com.google.android.gms:play-services-maps:$playService"
//sticky header
compile 'org.zakariya.stickyheaders:stickyheaders:0.7.6'
// bootstrap includes
compile project(path: ':core')
compile project(path: ':mvp-loader')
compile project(path: ':permissionmanager')
compile project(path: ':validators')
compile project(path: ':database')
compile project(path: ':passwordindicator')
compile project(path: ':orderstatus')
compile project(path: ':notificationscount')
compile project(path: ':lineweekchart')
compile project(path: ':numbercircle')
}
apply plugin: 'com.google.gms.google-services'
There is https://stackoverflow.com/questions/47262150/commanderror-you-appear-to-have-guava-jdk5-on-your-project-buildscript-or-build
but its resolution doesn't work for me, I have "no classpath ('com.google.firebase:firebase-plugins:1.0.5') " to add "exclude group"
PLEASE HELP how to fix it.
The current HttpCredentialsAdapter will refresh the token if it detects that it has expired on the client side. However, the token can be invalided or expire earlier than this due to clock differences. The adaptere should also detect this case, refresh the token and retry the request.
As a reference, the equivalent credential class in the V1 library does this:
https://github.com/google/google-oauth-java-client/blob/dev/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/Credential.java
It will require the HttpCredentialsAdapter to implement the HttpUnsuccessfulResponseHandler interface.
The interface of OAuth2Credentials does not allow an external class to know the expiration time of the currently cached access token. This prevents implementation of asynchronous refresh patterns.
Currently callers must use
credentials.getRequestMetadata()
which will block if the token has expired. This is not ideal for high-performance clients.
Add support for the GAE built-in service account, aka. App Identity. Also, add support to Application Default Credentials for detecting this environment and automatically using this identity.
The interface of OAuth2Credentials does not allow an external class to know the expiration time of the currently cached access token. This prevents implementation of asynchronous refresh patterns.
Currently callers must use
credentials.getRequestMetadata()
which will block if the token has expired. This is not ideal for high-performance clients.
As reported in googleapis/google-cloud-java#1545 , users have seen failures in ServiceAccountCredentials.refreshAccessToken
, which has no retries on the http call. These failures should be retried.
java.io.IOException: Error getting access token for service account:
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:319)
at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:96)
at com.google.cloud.HttpServiceOptions$1.initialize(HttpServiceOptions.java:224)
at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:423)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.cloud.storage.spi.DefaultStorageRpc.create(DefaultStorageRpc.java:245)
... 10 more
Caused by: java.net.SocketTimeoutException: connect timed out
...
The JWT Access Credentials should temporarily cache JWTs. Suggested algorithm:
Remove references to anything that is not in all versions of that version range.
This might already be true, but it needs to be verified.
cc @lesv
DefaultCredentialsProvider is detecting App Engine when running on App Engine Flex compat mode. Since GAE Flex is based on GCE VMs is would be better if it use ComputeEngineCredentials when running on Flex.
The App Engine check is here:
https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L211
In DefaultCredentialsProvider.getWellKnownCredentialsFile(), the environment variable CLOUDSDK_CONFIG isn't checked. Instead, it assumes that the .config
directory is in home. If the CLOUDSDK_CONFIG environment variable is set, that should be used instead of home. This would be consistent with the issue reported in the python equivalent of this library (see this issue).
As a result of not checking CLOUDSDK_CONFIG, users can see the issues like this if they install Cloud SDK in a non-default location.
Credentials.getRequestMetadata(URI)
is passed a URI defined as "the entry point for the request". What does that mean?
To be in sync with grpc/grpc#2911 and work with the current ServiceAccountJwtAccessCredentials
, the URI passed would need to exclude the gRPC method name. But given the credential API, I would more expect the URI to be the request URI, which would include the method name.
Is it possible for "entry point" to be better defined?
We should have some functionality to verify JWT's.
General validation of jwt
Validation of a Google JWT
(Get and cache Google's certificates - validate: iss, iat?, & exp)
Validation of a Firebase JWT
(get and cache Firebase certificates, validate: iss, iat, & exp)
Validate Identity provider tokens as well. (FB, Twitter, Github, etc.)
Looking up application default credentials on a GCE VM can fail due to VM metadata server being unavailable during VM launch. This is a rare event but Google Cloud Dataflow customers hit this rare case one or two times a month due to the sheer number of VMs. GCE attempted to mitigate VM metadata server unavailability but were only able to reduce it be an order of magnitude thus we need support from the client to retry. Additionally, when contacting the GCE VM metadata server, we should be using the fixed IP address avoiding the nameserver lookup (another potential point of failure).
Problem area in the code:
https://github.com/google/google-auth-library-java/blob/b94f8e4d02bf6917af2e2f7ef8d7114a51dbcfa8/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L261
Note that the code in this library and the Apiary auth support code are very similar. The fix was done within the Apiary auth code (note the use of the static IP address and also the presence of a fixed number of retries):
https://github.com/google/google-api-java-client/blob/4fc8c099d9db5646770868cc1bc9a33c9225b3c7/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/OAuth2Utils.java#L74
It turned out that the fixes resulted in zero future customer contacts about this issue.
From feedback from initial port:
You also need license headers in the java files.
PR's #94 & #144 both want to find a way to improve ADC for non-google cloud providers.
The ADC algorithm is defined to:
We should see if there is a way to safely and securely inject a secret like a service account JSON into a container running on another cloud platform. (item 3 above).
@jonparrott said: environment variables should not be used to hold secrets.
This is a very important item for us. We are trying get to the point where docker containers can run anywhere, on GCP, on a competing cloud provider, in their own datacenter, or locally in their laptop with just a change in the configuration.
Currently the com.google.auth.oauth2.ServiceAccountCredentials
class does not handle the project_id
field available in Google service account JSON files. It would be useful if the credential can read this field, and expose it via a new getProjectId()
method.
Usecase: We want to use this library within some Firebase SDKs, and we (in some situations) need to know the project ID along with the credential.
Implement the ID Token auth mechanism, where a signed JWT is attached to each request.
Would improve usability to support
GoogleCredentials.createScope(String... scopes)
After updating google-auth-libraries to 0.3.0, we noticed the following stacktrace when using application default credentials:
com.google.gcloud.RetryHelper$NonRetriableException: java.lang.NullPointerException
at com.google.gcloud.RetryHelper.doRetry(RetryHelper.java:193)
at com.google.gcloud.RetryHelper.runWithRetries(RetryHelper.java:247)
at com.google.gcloud.RetryHelper.runWithRetries(RetryHelper.java:237)
at com.google.gcloud.storage.StorageImpl.listBuckets(StorageImpl.java:291)
at com.google.gcloud.storage.StorageImpl.list(StorageImpl.java:285)
at com.examples.example.Main.main(Main.java:19)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:61)
at com.google.gcloud.ServiceOptions$1.initialize(ServiceOptions.java:513)
at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:300)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.gcloud.spi.DefaultStorageRpc.list(DefaultStorageRpc.java:155)
at com.google.gcloud.storage.StorageImpl$6.call(StorageImpl.java:295)
at com.google.gcloud.storage.StorageImpl$6.call(StorageImpl.java:292)
at com.google.gcloud.RetryHelper.doRetry(RetryHelper.java:181)
I think the issue was introduced in this commit. Also see https://github.com/google/google-auth-library-java/blame/master/oauth2_http/java/com/google/auth/http/HttpCredentialsAdapter.java#L61
The HTTP client's request factory seems to initialize the request before it sets the URL.
Something like LocalServerReceiver
in google-oauth-client.
This would satisfy the Identity-aware Proxy use case as well as a few other niche cases that have come up.
Context:
https://gist.github.com/jonparrott/cffca2fa7881e03fbe6ff7c25773c9cf
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py#L121
See googleapis/google-auth-library-python#130 for additional context.
In order for us to expose google-auth-library-java
classes in google-cloud-java
(thus dropping our AuthCredentials
classes), we need Credentials
classes to be Serializable.
One of the main obstacles to making Credentials
classes serializable is that some of them contain an HttpTransport
field, which is not serializable (see ComputeEngineCredentials for instance).
We faced this issue with our HttpServiceOptions classes and introduced the HttpTransportFactory
interface:
/**
* A base interface for all {@link HttpTransport} factories.
*
* <p>Implementation must provide a public no-arg constructor. Loading of a factory implementation
* is done via {@link java.util.ServiceLoader}.
*/
public interface HttpTransportFactory {
HttpTransport create();
}
When serializing an option object we only transmit the class name for the transport factory and try to instantiate the factory from its classname upon deserialization.
Do you think something like this could be done for Credentials
classes as well? Opinions are welcome.
Readme should be a bit more detailed, including:
See https://github.com/GoogleCloudPlatform/Template for suggested outline.
Should we set up Travis or similar CIs for this project?
When using Application Default Credentials from App Engine, both on the local development server (after logging in via gcloud auth login
) and in production, I get the following error message:
java.io.IOException: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
Based on that website, it seems like the behavior should be that the SDK credentials are used in the local development server and the App Engine credentials should be provided without setting the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Similar to googleapis/google-cloud-java#1883
I'm working on some samples to do specific authentication flows, and I'd like to link to the classes used in cloud.google.com documentation, but would rather link to the latest version of the API docs instead of a specific version.
It works if you call refreshAccessToken()
. We should either:
refreshAccessToken()
insteadgetAccessToken()
that it might not work.getAccessToken()
call refreshAccessToken()
when nothing is cached. (ie null)Is there a reason that UserCredentials' member variables don't have public getters? It would be useful to have getters like in ServiceAccountCredentials.
Types like ServiceAccountCredentials handle lists of scopes. The types are effectively immutable, so for safety, all types taking collections of scopes should use ImmutableList.copy(scopes).
Hello all.
I routed here from google-doublecliek-ad-exchange-buyer-api group for OAuth auto-refresh issue. https://groups.google.com/forum/#!topic/google-doubleclick-ad-exchange-buyer-api/ptf3-LO-2Jc
I saw "GoogleCredential takes care of automatically "refreshing" the token" state from below page.
https://developers.google.com/api-client-library/java/google-api-java-client/oauth2
I wrote below but it doesn't refresh token automatically.
String token = ...;
TokenResponse tokenResponse = JacksonFactory.getDefaultInstance().fromString(token, TokenResponse.getClass());
tokenResponse.setRefreshToken("CCCCC");
Credential credential = new GoogleCredential.Builder().setJsonFactory(JacksonFactory.getDefaultInstance())
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setClientSecrets("XXXX", "XXXX")
.build().setFromTokenResponse(tokenResponse);
AdExchangeBuyerII buyer = new AdExchangeBuyerII.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), credential).setApplicationName("").build();
Originally, I set refreshToken at GoogleCredential, but I change it to set it on TokenResponse after Mark's suggestion. But both of them isn't work.
I also add CredentialRefreshListener() to check whether refresh request is sent, but I can't see anyting.
Could you let me know whether my code need to be updated or it is a bug on auth library?
The API docs URL given in index.md
is outdated: http://google.github.io/google-auth-library-java/releases/0.7.1/apidocs/
It doesn't look like the API docs of the last release (v0.8.0) are published anywhere. Please publish the latest API docs, and provide a version-neural permanent link like http://google.github.io/google-auth-library-java/releases/latest/apidocs/ so downstream projects can easily link to API docs of this library.
We now depend on guava-jdk5:13.0
. In both google-cloud-java
and gax-java
we instead depend on standard guava
(version 19 and 18 respectively).
Is there any reason for depending on guava-jdk5
? If not excluded (as we do in google-cloud-java
), this just results in a bunch of duplicated classes in all projects that use standard guava
. /cc @anthmgoogle @garrettjonesgoogle
OAuth2Credentials has methods refresh()
. But there's no method to check if the token is close to expiring and refresh if so. I want to do these few lines, but these methods are private.
My use case is that I have a long-lived GoogleCredentials
instance. I only want to refresh when I need to to minimize unnecessary overhead in making requests to the backend. There are the methods getRequestMetadata()
which will essentially do the check and refresh logic, but this method name and parameter is an awkward fit.
Can we expose a new public method in this class that does this?
public void refreshIfExpired() throws IOException {
synchronized(lock) {
if (shouldRefresh()) {
refresh();
}
}
}
@BetaApi
or @Internal
that we want the flexibility to change later (requires adding a dependency on api-common) - only things unused in google-cloud-java and grpc-auth can be marked this wayWhile running some tests using the MockTokenServerTransport
of the Google API client, I noticed that sometimes GoogleCredentials.getExpirationTime()
incorrectly returns timestamps that are several days old. This is what's going on:
MockTokenServerTransport
has a bug where it reports the expires_in
field in milliseconds (3600000), where it should be seconds. I reported this in their Github repo (googleapis/google-api-java-client#1061).ServiceAccountCredentials
class will encounter an integer overflow, when the backend server reports a large expires_in
value: long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000;
If expiresInSeconds
is large (say 3600000), this code will overflow, and the resulting timestamp will be in the past.
I'm using spanner java client with gcloud SDK and trying to connect to Google Spanner from machine that uses proxy for internet access.
I have configured gcloud to use my proxy server and it is ok.
I have specified environment variable GRPC_PROXY_EXP and Spanner requests to spanner.googleapis.com go through proxy and it's ok as well.
But spanner sql requests fail with com.google.cloud.spanner.SpannerException: UNAUTHENTICATED
exception because of another error related to OAuth2:
Caused by: java.net.UnknownHostException: accounts.google.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:77)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:965)
at com.google.auth.oauth2.UserCredentials.refreshAccessToken(UserCredentials.java:207)
at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
at io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:110)
... 3 common frames omitted
I wend deeper in the code and found that https://github.com/google/google-auth-library-java/blob/0fab63ca9798b78929e52d0313fe54241bda6256/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java#L64 initializes with default parameters and without any possibility to configure proxy settings.
If you find it reasonable I would be glad to make PR.
The other languages are trying to pickup current / default ProjectID - since SQL v2, bigtable, and other services require .
We possibly may need to get the default zone & region from gcloud config.
It would be helpful to give users the ability to generate a User Credentials JSON file. While this is a feature of Python's auth library, the only way users can get a User Credentials JSON file now is to login using the Google Cloud SDK and then go hunting for it in the configurations directory.
It was released to Maven Central, but the tag is missing in GitHub.
Would it be possible to cut a new release to incorporate #132?
Also, it appears that master has diverged from the released artifacts. Maven central has the artifacts:
While the pom files in this repo still reference 0.7.2-SNAPSHOT and are missing the 0.8.0 tag
Thanks
This is needed for google-auth-library-java
and googleapis/google-api-java-client#1037 (creating an issue for both projects):
User's current way:
GoogleCredential googleCredential = new GoogleCredential.Builder()
.setTransport(TRANSPORT).setJsonFactory(JSON_FACTORY)
.setServiceAccountId(emailAddress)
.setServiceAccountPrivateKeyFromP12File(p12File)
.setServiceAccountScopes(scopes)
.setServiceAccountUser(user).build();
Would like: to do:
GoogleCredential googleCredential =
GoogleCredential.fromStream(jsonInputStream, TRANSPORT, JSON_FACTORY).createScoped(Collections.singleton(Oauth2Scopes.USERINFO_EMAIL))
Python you just do:
credentials = credentials.create_delegated(user)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.