cloud-sql-nodejs-connector icon indicating copy to clipboard operation
cloud-sql-nodejs-connector copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Support OAuth2 token

Open ruyadorno opened this issue 2 years ago • 8 comments

Feature Description

A Cloud SQL Node.js Connector user should be able to connect to Cloud SQL Admin APIs using a OAuth2 token.

ruyadorno avatar Mar 21 '23 20:03 ruyadorno

Googler here - https://github.com/firebase/firebase-tools/ is looking to use this connector for some upcoming features, and this would be a extremely helpful feature for us (since most of our users use OAuth2).

joehan avatar Mar 08 '24 17:03 joehan

@joehan thanks for the comment! Will bump priority in that case to move this up the backlog

jackwotherspoon avatar Mar 08 '24 18:03 jackwotherspoon

@joehan This issue might be lacking some details. We recently added support for specifying a GoogleAuth value in #238 with an example usage in the README.

I assume GoogleAuth doesn't satisfy the requirement here? Are you looking for a full OAuth2 flow, or just a way to pass in an OAuth2 token like the Cloud SQL Proxy supports?

enocom avatar Mar 08 '24 21:03 enocom

@enocom - we just need a way to pass in a OAuth2 token, since firebase-tools already implements a full OAuth2 flow. Is there an easy way to do this with the GoogleAuth library that I missed?

joehan avatar Mar 08 '24 22:03 joehan

Have you tried something like this? I haven't tested this, and am just following the types, so this might be wrong.


import {JWT} from 'google-auth-library';
import {Connector} from '@google-cloud/cloud-sql-connector';

const jwt = new JWT({});
jwt.fromAPIKey("token goes here");

const connector = new Connector({
  auth: jwt
});

enocom avatar Mar 13 '24 19:03 enocom

@enocom That didn't quite work - JWT.fromAPIKey expects a API key, but we have a access token. I spent a fair bit of time playing with google-auth-library, and AFAICT, there isn't a way to go from access token -> AuthClient. This makes sense, as the purpose of the AuthClient is to get access tokens.

We could implement a 'dummy' authclient that just returns the access_token we already have, but a simple way to just pass a access token to the connector would be much cleaner for us.

I'm going to keep hacking around to see if I can get something working, and I'll update here if I do.

joehan avatar Mar 18 '24 18:03 joehan

Hey all, we ended up finding a solution that worked for us by implementing our own AuthClient and passing it into the Connector. Feel free to deprioritize this if needed - our current solution is probably a bit more brittle, but definitely does what we need.

joehan avatar Mar 22 '24 21:03 joehan

Thanks, @joehan. This is on our list, but below a number of high priority items.

enocom avatar Apr 01 '24 15:04 enocom