Add authorized user authenticator

[FEC-bendingspoons]

I took some ideas from #154 fixing the conflicts in hopes that this will get merged.

Thanks for providing the basis of this library!

[evgeny-yashin]

Can add that I use the original PR #154 and it works. An important missing part in the lib.

[dermesser]

Can add that I use the original PR #154 and it works. An important missing part in the lib.

Thank you for the feedback. It looks like this PR will implement the same features, can you confirm that it would work for your use case?

[dermesser]

Am I right in assuming that this new authenticator deals with application default credentials (as replacements for service account credentials), as described here? https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login

If so, may I propose renaming the types from AuthorizedUser... to ApplicationDefault...? "Authorized User" sounds very generic and can easily cause confusion.

[FEC-bendingspoons]

Am I right in assuming that this new authenticator deals with application default credentials

I am not sure, I read this and it appears to me that with Application Default Credentials is a different thing.

BTW currently inside the library there already are ApplicationDefaultCredentials* types that implement the behaviour I linked above. I chose AuthorizedUser* because in the JSON generated by gcloud there is a "type": "authorized_user" key.

[dermesser]

Am I right in assuming that this new authenticator deals with application default credentials

I am not sure, I read this and it appears to me that with Application Default Credentials is a different thing.

Ok, then I was wrong in assuming that :)

BTW currently inside the library there already are ApplicationDefaultCredentials* types that implement the behaviour I linked above. I chose AuthorizedUser* because in the JSON generated by gcloud there is a "type": "authorized_user" key.

Alright, then it's Google's fault for using such a generic name. I shall be fine with it.

[evgeny-yashin]

Thank you for the feedback. It looks like this PR will implement the same features, can you confirm that it would work for your use case?

Yes, this is the same PRs, this one is just friendly with latest version. I just checked it and was able to login using "authorized_user" key.

Am I right in assuming that this new authenticator deals with application default credentials (as replacements for service account credentials), as described here? https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login

Google Cloud documentation on this part is a bit cloudy, here I think it's a bit clearer:
https://google.aip.dev/auth/4110
According to that, ADC is a strategy to discover authorization automatically, trying a group of authentication algos.

1. GOOGLE_APPLICATION_CREDENTIALS env variable is checked, and if present it can point either to a service key OR authorized_user key (which is created via gcloud auth application-default login).
2. Then it checks for Workflow identity (federation), by navigating to http://metainfo/... (in yup-oauth2 it is done as part of ADC only, not as a separate flow)
3. Checking for the same keys as in 1, but in 'default' locations.

So, ADC is not a flow but a try-this, try-that until authorized. The authorized_user flow is a separate authentication algorithm and, eventually, it should be used as a part of ADC strategy.

[FEC-bendingspoons]

Any update on this?

[dermesser]

Sorry for the delay, my life was a bit busy the last couple days :)

[evgeny-yashin]

Thanks!

What is the project schedule for releases to io.crates?

[dermesser]

As soon as I find the time - I will try to do it later today!