Skip to content

feat(auth): implement regional access boundary support for standalone JWT and async service accounts#17025

Open
nbayati wants to merge 10 commits into
googleapis:mainfrom
nbayati:rab-support-async-sa-jwt
Open

feat(auth): implement regional access boundary support for standalone JWT and async service accounts#17025
nbayati wants to merge 10 commits into
googleapis:mainfrom
nbayati:rab-support-async-sa-jwt

Conversation

@nbayati
Copy link
Copy Markdown
Contributor

@nbayati nbayati commented May 11, 2026
edited
Loading

This PR implements the following changes:

  • Add RAB support to async service account credential type, by providing async manager and fetching methods.
  • Update unit tests to accept both mtls and standard lookup endpoint urls.
  • Refactor before_request to use a _after_refresh hook so we don't have to override the method.
  • Add RAb support for self signed jwt flow through jwt.py
  • some small enhancements for test coverage and backward compatibility

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements asynchronous support for Regional Access Boundary (RAB) management, including background refresh tasks and mTLS endpoint support. Key changes include the addition of _AsyncRegionalAccessBoundaryRefreshManager, updates to JWT and service account credentials to handle RAB state during cloning and serialization, and comprehensive test coverage for these new flows. However, a critical issue was identified where the refresh method in google/auth/jwt.py was renamed to _perform_refresh_token, which will break token updates as the base class expects a refresh method. Additionally, a typo was found in a test assertion URL.

Comment thread packages/google-auth/google/auth/jwt.py
Comment thread packages/google-auth/tests/test_external_account_authorized_user.py Outdated
@nbayati nbayati changed the title Add RAB support for async SA and jwt.py feat(auth): implement regional access boundary support for standalone JWT and async service accounts May 11, 2026
@nbayati nbayati marked this pull request as ready for review May 11, 2026 20:40
@nbayati nbayati requested review from a team as code owners May 11, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbayati