grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "credentials: allow audience to be configured (#8421) (#8442)" (#8450) 

This reverts commit 7208cdc423.
This commit is contained in:
eshitachandwani 2025-07-16 15:19:22 +05:30 committed by GitHub
parent 52d9f91b2d
commit 0a12fb0d84
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 0 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Documentation/grpc-auth-support.md
View File

@ -58,11 +58,6 @@ Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to
[grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials) [grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)
to prevent any insecure transmission of tokens. to prevent any insecure transmission of tokens.
The default behaviour is to strip the gRPC method from the endpoint that is passed to the
`GetRequestMetadata` method of `PerRPCCredentials`. However, this can be overridden to pass
the entire endpoint as required for some JWT implementations by setting the
`GRPC_AUDIENCE_IS_FULL_PATH` environment variable to `"true"`.
# Authenticating with Google # Authenticating with Google
## Google Compute Engine (GCE) ## Google Compute Engine (GCE)

7
internal/envconfig/envconfig.go
View File

@ -80,13 +80,6 @@ var (
// ALTSHandshakerKeepaliveParams is set if we should add the // ALTSHandshakerKeepaliveParams is set if we should add the
// KeepaliveParams when dial the ALTS handshaker service. // KeepaliveParams when dial the ALTS handshaker service.
ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false) ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
// AudienceIsFullPath is set if the user expects that the endpoint that
// is passed to the credential helper called by GetRequestMetadata contains
// the full URL rather than excluding the method. This is required as there
// are competing specifications around what endpoint should be specified for
// a JWT audience.
AudienceIsFullPath = boolFromEnv("GRPC_AUDIENCE_IS_FULL_PATH", false)
) )
func boolFromEnv(envVar string, def bool) bool { func boolFromEnv(envVar string, def bool) bool {

5
internal/transport/http2_client.go
View File

@ -39,7 +39,6 @@ import (
"google.golang.org/grpc/internal" "google.golang.org/grpc/internal"
"google.golang.org/grpc/internal/channelz" "google.golang.org/grpc/internal/channelz"
icredentials "google.golang.org/grpc/internal/credentials" icredentials "google.golang.org/grpc/internal/credentials"
"google.golang.org/grpc/internal/envconfig"
"google.golang.org/grpc/internal/grpclog" "google.golang.org/grpc/internal/grpclog"
"google.golang.org/grpc/internal/grpcsync" "google.golang.org/grpc/internal/grpcsync"
"google.golang.org/grpc/internal/grpcutil" "google.golang.org/grpc/internal/grpcutil"
@ -646,10 +645,6 @@ func (t *http2Client) createAudience(callHdr *CallHdr) string {
// Construct URI required to get auth request metadata. // Construct URI required to get auth request metadata.
// Omit port if it is the default one. // Omit port if it is the default one.
host := strings.TrimSuffix(callHdr.Host, ":443") host := strings.TrimSuffix(callHdr.Host, ":443")
if envconfig.AudienceIsFullPath {
return "https://" + host + callHdr.Method
}
pos := strings.LastIndex(callHdr.Method, "/") pos := strings.LastIndex(callHdr.Method, "/")
if pos == -1 { if pos == -1 {
pos = len(callHdr.Method) pos = len(callHdr.Method)

56
test/creds_test.go
View File

@ -32,7 +32,6 @@ import (
"google.golang.org/grpc/connectivity" "google.golang.org/grpc/connectivity"
"google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure" "google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/internal/envconfig"
"google.golang.org/grpc/internal/testutils" "google.golang.org/grpc/internal/testutils"
"google.golang.org/grpc/metadata" "google.golang.org/grpc/metadata"
"google.golang.org/grpc/resolver" "google.golang.org/grpc/resolver"
@ -544,58 +543,3 @@ func (s) TestServerCredsDispatch(t *testing.T) {
t.Errorf("Read() = %v, %v; want n>0, <nil>", n, err) t.Errorf("Read() = %v, %v; want n>0, <nil>", n, err)
} }
} }
type audienceTestCreds struct{}
func (a *audienceTestCreds) GetRequestMetadata(_ context.Context, uri ...string) (map[string]string, error) {
var endpoint string
if len(uri) > 0 {
endpoint = uri[0]
}
return nil, status.Error(codes.Unknown, endpoint)
}
func (a *audienceTestCreds) RequireTransportSecurity() bool { return false }
func (s) TestGRPCMethodInAudienceWhenEnvironmentSet(t *testing.T) {
te := newTest(t, env{name: "method-in-audience", network: "tcp"})
te.userAgent = testAppUA
te.startServer(&testServer{security: te.e.security})
defer te.tearDown()
cc := te.clientConn(grpc.WithPerRPCCredentials(&audienceTestCreds{}))
tc := testgrpc.NewTestServiceClient(cc)
tests := []struct {
name string
endpoint string
audienceIsFullPath bool
}{
{
name: "full-path-sent",
endpoint: fmt.Sprintf("https://%s/grpc.testing.TestService/EmptyCall", te.srvAddr),
audienceIsFullPath: true,
},
{
name: "method-omitted",
endpoint: fmt.Sprintf("https://%s/grpc.testing.TestService", te.srvAddr),
audienceIsFullPath: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
testutils.SetEnvConfig(t, &envconfig.AudienceIsFullPath, test.audienceIsFullPath)
ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
defer cancel()
if _, err := tc.EmptyCall(ctx, &testpb.Empty{}); status.Convert(err).Message() != test.endpoint {
t.Fatalf("ss.client.EmptyCall(_, _) = _, %v; want _, _.Message()=%q", err, test.endpoint)
}
if _, err := tc.EmptyCall(ctx, &testpb.Empty{}, grpc.WaitForReady(true)); status.Convert(err).Message() != test.endpoint {
t.Fatalf("ss.client.EmptyCall(_, _) = _, %v; want _, _.Message()=%q", err, test.endpoint)
}
})
}
}