httr
httr copied to clipboard
Why does `oauth_service_token()` require an endpoint?
This is a puzzle I've come across in my work on gargle, motivated by fitting it into bigrquery. I have to put it on a shelf but want to record my findings, so I (or someone) can can come back to this.
Why does oauth_service_token()
absolutely require an endpoint
? Why this stop()
?
https://github.com/r-lib/httr/blob/307c7df53cd6cb3512764b9e605c1f955587019a/R/oauth-token.r#L315-L317
So far it's not obvious to me where the endpoint
is required downstream from here.
I suspect the presence of this stop()
is why @craigcitro calls httr::TokenServiceAccount$new()
directly here in gargle::credentials_service_account()
:
https://github.com/r-lib/gargle/blob/dee10df5d1ddc1bdd06e0c3b1f1bade8af8b9246/R/service-account.R#L14-L18
instead of the way @Hadley does same here in bigrquery::set_service_token()
by calling httr::oauth_service_token()
:
https://github.com/r-dbi/bigrquery/blob/c3fa2669ee68727ae3e38c7e27ff2e676ebc2f03/R/auth.R#L80
The current gargle approach is sub-optimal because it also bypasses an important call to the unexported check_scope()
:
https://github.com/r-lib/httr/blob/307c7df53cd6cb3512764b9e605c1f955587019a/R/oauth-token.r#L322
which collapses a character vector of scopes into a single space-delimited string.
https://github.com/r-lib/httr/blob/af25ebd0e3b72d2dc6e1423242b94efc25bc97cc/R/oauth-init.R#L203-L212
I will just work around this for now in gargle by passing the google endpoint so I can call httr::oauth_service_token()
and get the scope processing.
Maybe I made a mistake in https://github.com/r-lib/httr/commit/ffd9f9fa0cc757f84b953397f020503c273ce03f and it should also allow NULL
?
I think it should allow NULL
at the very least. But maybe that argument shouldn't even be there? I'd have to look more closely and maybe learn more about service tokens. But don't they have their own info baked in?
It is also completely possible that I totally misunderstood service tokens
For the Google case, the URI that is put in the JWT and to which the POST
is eventually made, when requesting an access token from a service account token, is borne in the token itself (meaning the JSON).
Helpful reading for the Google case: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I can't say if that is a guarantee for all such tokens? Maybe @craigcitro can.
You can populate endpoint
here (you must, in fact, hence this issue), but I'm basically convinced that httr currently never uses it.
The vast majority of httr::oauth_service_token()
usage on GitHub is with Google: of ~160 hits 157 are Google. I see single examples that suggest maybe it's also used with Twitter (?), DigitalOcean, and Azure.
httr has been superseded in favour of httr2, so is no longer under active development. If this problem is still important to you in httr2, I'd suggest filing an issue offer there 😄. Thanks for using httr!