A set of custom plugins for Google Authentication Library
Project description
Google Auth Plugins Python Library
This library (built on top of Google's official SDK) aims to provide features not implemented by the standard library for whatever reason.
Common reason is that the latter is not a priority in the SDK's roadmap.
⚠️ This project doesn't want or plan to replace the official SDK but rather to be a space for experimentation providing beta features (because security does have to wait).
I hope that the features available in this repo will be integrated in the official library for the common good.
Index
Main difference with google-auth
For security reasons, this project will always drop support for a python version as soon as security support ends.
As an example, the version 2.16.1 of google-auth
launched on 2023-02-17 still supports python3.6^1.
Installation
google-auth-plugins
requires Python 3.7 or newer, and can be installed directly via pip
:
python3 -m venv venv && source venv/bin/activate
python -m pip install google-auth-plugins
Usage
Domain-wide delegation credentials
A bit of context
As stated in this issue currently it's not possible to produce a delegated credentials via an impersonated identity.
To put it another way, today the only way to obtain those credentials is with a service account key 🤯.
Given the importance of this kind of service accounts it seems relevant to limit as much as possible long-term credentials in order to protect against leaks.
Domain-wide delegation credentials allows that.
Please find below an example:
import google.auth
from google_auth_plugins import dwd_credentials
target_scopes = ['https://www.googleapis.com/auth/calendar.readonly']
subject = "john.doe@pamplemousse.com"
# The impersonated service account must grant `Service Account Token Creator` to the identity represented by source_credentials
source_credentials, _ = google.auth.default()
delegated_credentials = dwd_credentials.Credentials(
subject=subject,
source_credentials=source_credentials,
target_principal='dwd-impersonated-account@_project_.iam.gserviceaccount.com',
target_scopes = target_scopes,
)
Alternatively, if source_credentials
is the service account with domain-wide delegation, you can skip target_principal definition.
source_credentials, _ = google.auth.default()
delegated_credentials = dwd_credentials.Credentials(
subject=subject,
source_credentials=source_credentials,
target_scopes = target_scopes,
)
Finally, you can switch delegated credentials as defined below:
alice_delegated_creds = dwd_credentials.Credentials(
subject="alice@example.com",
source_credentials=source_credentials,
target_scopes = target_scopes,
)
bob_delegated_creds = alice_delegated_creds.with_subject("bob@example.com")
Note: this module is heavily inspired by Johannes Passing blog post 🚀.
Tests
make test
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for google-auth-plugins-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | b38ecf8bfd081f709e5a6f2896db29bafc71ff068d1765d237d5840cefc732a3 |
|
MD5 | c603639e4724c1328458e2f1ca744349 |
|
BLAKE2b-256 | f37eec4ecfc6dc16c0bbb6abd9cc0aaf006e3ecf88a337ce7cc021071624f2fe |
Hashes for google_auth_plugins-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a2cf382b6d1bcf9cfdd9a715d1ff4ed1b9d7cb5412b370980925d9f72cd15024 |
|
MD5 | 611baa5c38743c84bbb7a5a6f086fa83 |
|
BLAKE2b-256 | ac8314a1a8179f90afc01c9753b98cc44c58290ce17c9b45e3186db8e85c0721 |