Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use auth DetectDefault over oauth2 FindDefaultCredentials #909

Merged
merged 12 commits into from
Jan 14, 2025
Merged

fix: use auth DetectDefault over oauth2 FindDefaultCredentials #909

merged 12 commits into from
Jan 14, 2025

Conversation

jackwotherspoon
Copy link
Collaborator

@jackwotherspoon jackwotherspoon commented Jan 8, 2025
edited
Loading

The new Google auth library should be used over the old oauth2 library.

This will help fix certain non-GDU paths as FindDefaultCredentials does not support
self-signed JWTs.

Switching to the new auth library also allows us to remove some tricky
custom token refresh logic:

cloud-sql-go-connector/internal/cloudsql/refresh.go

Lines 143 to 162 in 3e8203a

var expired = time.Time{}.Add(1)
// canRefresh determines if the provided token was refreshed or if it still has
// the sentinel expiration, which means the token was provided without a
// refresh token (as with the Cloud SQL Proxy's --token flag) and therefore
// cannot be refreshed.
func canRefresh(t *oauth2.Token) bool {
return t.Expiry.Unix() != expired.Unix()
}
// refreshToken will retrieve a new token, only if a refresh token is present.
func refreshToken(ts oauth2.TokenSource, tok *oauth2.Token) (*oauth2.Token, error) {
expiredToken := &oauth2.Token{
AccessToken: tok.AccessToken,
TokenType: tok.TokenType,
RefreshToken: tok.RefreshToken,
Expiry: expired,
}
return oauth2.ReuseTokenSource(expiredToken, ts).Token()
}

Previously TokenSource tokens were tricked into performing a refresh by setting
the Expiry to one minute in the future. This was required as tokens were observed
to be cached sometimes up until <30s until expiry.

We no longer need this logic as the TokenProvider implementation by default
uses NewCachedTokenProvider which caches tokens and automatically refreshes
them when the token is close to expiring (within ~4 minutes).

Fixes #904

@jackwotherspoon jackwotherspoon self-assigned this Jan 8, 2025
@jackwotherspoon jackwotherspoon marked this pull request as ready for review January 10, 2025 01:51
@jackwotherspoon jackwotherspoon requested a review from a team as a code owner January 10, 2025 01:51
@jackwotherspoon
Copy link
Collaborator Author

@quartzmo mind taking a quick pass and letting me know if this looks okay to you? 😄

@jackwotherspoon jackwotherspoon changed the title refactor: use auth DetectDefault over oauth2 FindDefaultCredentials fix: use auth DetectDefault over oauth2 FindDefaultCredentials Jan 10, 2025
enocom
enocom approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@enocom enocom left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Will you add a few sentences about why we're not force refreshing the token anymore? That was a tricky piece of code to write, but is now obviated by the better caching period in the new auth library. We're definitely going to forget this, so recording it for posterity would be a cheap and useful thing to do.

hessjcg
hessjcg requested changes Jan 10, 2025
View reviewed changes
dialer_test.go Show resolved Hide resolved
internal/cloudsql/refresh.go Show resolved Hide resolved
internal/cloudsql/refresh.go Show resolved Hide resolved
quartzmo
quartzmo reviewed Jan 10, 2025
View reviewed changes
Copy link
Member

@quartzmo quartzmo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about converting this test setup to use DetectDefault instead of DefaultTokenSource at this time as well?

@jackwotherspoon
Copy link
Collaborator Author

@quartzmo I think you accidentally pasted the wrong link, not sure exactly what test you are referring to...

I do plan to eventually remove the rest of the test usage of TokenSource and add a message to the WithTokenSource option

What do you think about converting this test setup to use DetectDefault instead of DefaultTokenSource at this time as well?

hessjcg
hessjcg requested changes Jan 14, 2025
View reviewed changes
dialer_test.go Show resolved Hide resolved
internal/cloudsql/refresh.go Show resolved Hide resolved
enocom
enocom approved these changes Jan 14, 2025
View reviewed changes
dialer.go Outdated Show resolved Hide resolved
internal/cloudsql/refresh.go Show resolved Hide resolved
hessjcg
hessjcg approved these changes Jan 14, 2025
View reviewed changes
internal/cloudsql/refresh.go Show resolved Hide resolved
@jackwotherspoon jackwotherspoon merged commit 52fef27 into main Jan 14, 2025
14 checks passed
@jackwotherspoon jackwotherspoon deleted the detect-default branch January 14, 2025 22:12
@release-please release-please bot mentioned this pull request Jan 14, 2025
Merged
This was referenced Jan 16, 2025
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quartzmo quartzmo quartzmo left review comments

@enocom enocom enocom approved these changes

@hessjcg hessjcg hessjcg approved these changes

Assignees

@jackwotherspoon jackwotherspoon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Migrate to new Go client library credentials
4 participants
@jackwotherspoon @quartzmo @enocom @hessjcg