httr icon indicating copy to clipboard operation
httr copied to clipboard

Published 20 hours ago verified publisher icon r-lib

Why does `oauth_service_token()` require an endpoint?

Open jennybc opened this issue 5 years ago • 4 comments

This is a puzzle I've come across in my work on gargle, motivated by fitting it into bigrquery. I have to put it on a shelf but want to record my findings, so I (or someone) can can come back to this.

Why does oauth_service_token() absolutely require an endpoint? Why this stop()?

https://github.com/r-lib/httr/blob/307c7df53cd6cb3512764b9e605c1f955587019a/R/oauth-token.r#L315-L317

So far it's not obvious to me where the endpoint is required downstream from here.

I suspect the presence of this stop() is why @craigcitro calls httr::TokenServiceAccount$new() directly here in gargle::credentials_service_account():

https://github.com/r-lib/gargle/blob/dee10df5d1ddc1bdd06e0c3b1f1bade8af8b9246/R/service-account.R#L14-L18

instead of the way @Hadley does same here in bigrquery::set_service_token() by calling httr::oauth_service_token():

https://github.com/r-dbi/bigrquery/blob/c3fa2669ee68727ae3e38c7e27ff2e676ebc2f03/R/auth.R#L80

The current gargle approach is sub-optimal because it also bypasses an important call to the unexported check_scope():

https://github.com/r-lib/httr/blob/307c7df53cd6cb3512764b9e605c1f955587019a/R/oauth-token.r#L322

which collapses a character vector of scopes into a single space-delimited string.

https://github.com/r-lib/httr/blob/af25ebd0e3b72d2dc6e1423242b94efc25bc97cc/R/oauth-init.R#L203-L212

I will just work around this for now in gargle by passing the google endpoint so I can call httr::oauth_service_token() and get the scope processing.

jennybc avatar Mar 01 '19 18:03 jennybc

Maybe I made a mistake in https://github.com/r-lib/httr/commit/ffd9f9fa0cc757f84b953397f020503c273ce03f and it should also allow NULL?

hadley avatar Mar 01 '19 19:03 hadley

I think it should allow NULL at the very least. But maybe that argument shouldn't even be there? I'd have to look more closely and maybe learn more about service tokens. But don't they have their own info baked in?

jennybc avatar Mar 01 '19 19:03 jennybc

It is also completely possible that I totally misunderstood service tokens

hadley avatar Mar 02 '19 14:03 hadley

For the Google case, the URI that is put in the JWT and to which the POST is eventually made, when requesting an access token from a service account token, is borne in the token itself (meaning the JSON).

Helpful reading for the Google case: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

I can't say if that is a guarantee for all such tokens? Maybe @craigcitro can.

You can populate endpoint here (you must, in fact, hence this issue), but I'm basically convinced that httr currently never uses it.

The vast majority of httr::oauth_service_token()usage on GitHub is with Google: of ~160 hits 157 are Google. I see single examples that suggest maybe it's also used with Twitter (?), DigitalOcean, and Azure.

jennybc avatar Mar 02 '19 16:03 jennybc

httr has been superseded in favour of httr2, so is no longer under active development. If this problem is still important to you in httr2, I'd suggest filing an issue offer there 😄. Thanks for using httr!

hadley avatar Oct 31 '23 20:10 hadley