)]}' { "commit": "6b3c2da341f1ae337c2ca717bfb1cfef01aeed9b", "tree": "10ade54caa048207311d70bc498e29faca3f4d0b", "parents": [ "2bc19b11175fd0ae72c59c53fa45eff3f93d6a46" ], "author": { "name": "Ryan Kohler", "email": "ryankohler@google.com", "time": "Tue Oct 05 14:39:06 2021 +0000" }, "committer": { "name": "Cody Oss", "email": "codyoss@google.com", "time": "Tue Oct 05 18:02:43 2021 +0000" }, "message": "google/externalaccount: add support for workforce pool credentials\n\nWorkforce pools (external account credentials for non-Google users) are\norganization-level resources which means that issued workforce pool tokens\nwill not have any client project ID on token exchange as currently designed.\n\n\"To use a Google API, the client must identify the application to the server.\nIf the API requires authentication, the client must also identify the principal\nrunning the application.\"\n\nThe application here is the client project. The token will identify the user\nprincipal but not the application. This will result in APIs rejecting requests\nauthenticated with these tokens.\n\nNote that passing a x-goog-user-project override header on API request is\nstill not sufficient. The token is still expected to have a client project.\n\nAs a result, we have extended the spec to support an additional\nworkforce_pool_user_project for these credentials (workforce pools) which will\nbe passed when exchanging an external token for a Google Access token. After the\nexchange, the issued access token will use the supplied project as the client\nproject. The underlying principal must still have serviceusage.services.use\nIAM permission to use the project for billing/quota.\n\nThis field is not needed for flows with basic client authentication (e.g. client\nID is supplied). The client ID is sufficient to determine the client project and\nany additionally supplied workforce_pool_user_project value will be ignored.\n\nNote that this feature is not usable yet publicly.\n\nChange-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0\nGitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4\nGitHub-Pull-Request: golang/oauth2#520\nReviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393\nReviewed-by: Cody Oss \u003ccodyoss@google.com\u003e\nReviewed-by: Bassam Ojeil \u003cbojeil@google.com\u003e\nTrust: Cody Oss \u003ccodyoss@google.com\u003e\nTrust: Tyler Bui-Palsulich \u003ctbp@google.com\u003e\nRun-TryBot: Cody Oss \u003ccodyoss@google.com\u003e\nTryBot-Result: Go Bot \u003cgobot@golang.org\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "422ff1fe34c685badae1493bdb2a24e110607699", "old_mode": 33188, "old_path": "google/google.go", "new_id": "41ced10acdf13299034d23e56dad5cf99dcfced1", "new_mode": 33188, "new_path": "google/google.go" }, { "type": "modify", "old_id": "dab917f39ef20bb873841e763e89c32214b72e00", "old_mode": 33188, "old_path": "google/internal/externalaccount/basecredentials.go", "new_id": "a1e36c0c70064b0aea48ac6e753891dd73efadd1", "new_mode": 33188, "new_path": "google/internal/externalaccount/basecredentials.go" }, { "type": "modify", "old_id": "b1131d69741bf59486f6c085e92c95efd53d0ab1", "old_mode": 33188, "old_path": "google/internal/externalaccount/basecredentials_test.go", "new_id": "5aa0d4677a9c2c1fc017f5c6b38bd075254a73a2", "new_mode": 33188, "new_path": "google/internal/externalaccount/basecredentials_test.go" } ] }