Skip to content

impl(oauth2): add GDCH service account credentials#16126

Open
scotthart wants to merge 4 commits into
googleapis:mainfrom
scotthart:oauth2_gdch_creds_1
Open

impl(oauth2): add GDCH service account credentials#16126
scotthart wants to merge 4 commits into
googleapis:mainfrom
scotthart:oauth2_gdch_creds_1

Conversation

@scotthart
Copy link
Copy Markdown
Member

@scotthart scotthart commented May 27, 2026
edited
Loading

This PR adds a new credential type for supporting Google Cloud Distributed Hosting (GDCH) service accounts. More detailed information describing this workflow can be found at: https://docs.cloud.google.com/distributed-cloud/hosted/docs/latest/gdcag/platform/pa-user/service-identity

@scotthart scotthart requested a review from a team as a code owner May 27, 2026 20:55
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces GDCH (Google Distributed Cloud Hosted) service account credentials for REST clients, including parsing JSON key files, creating self-signed JWT assertions, and exchanging them for access tokens. It also updates the OpenSSL signing utility to support raw ECDSA signatures (RFC-7515) alongside the default DER format. The review feedback highlights several important robustness and safety improvements: validating that the parsed token JSON is an object with correct field types to prevent runtime exceptions, adding a separator to a concatenated error message, binding a temporary string to a local variable to avoid fragile lifetime issues with absl::Span, and removing a redundant namespace prefix for consistency.

Comment thread google/cloud/internal/oauth2_gdch_service_account_credentials.cc
Comment thread google/cloud/internal/oauth2_gdch_service_account_credentials.cc
Comment thread google/cloud/internal/oauth2_gdch_service_account_credentials.cc
Comment thread google/cloud/internal/openssl/sign_using_sha256.cc
@codecov
Copy link
Copy Markdown

codecov Bot commented May 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 91.68704% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.71%. Comparing base (5a2de69) to head (2c66fcf).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...nternal/oauth2_gdch_service_account_credentials.cc 87.58% 18 Missing ⚠️
google/cloud/internal/openssl/sign_using_sha256.cc 61.53% 15 Missing ⚠️
...al/oauth2_gdch_service_account_credentials_test.cc 99.54% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##             main   #16126    +/-   ##
========================================
  Coverage   92.71%   92.71%            
========================================
  Files        2353     2356     +3     
  Lines      219451   219858   +407     
========================================
+ Hits       203461   203845   +384     
- Misses      15990    16013    +23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diegomarquezp diegomarquezp diegomarquezp approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scotthart @diegomarquezp