Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

feat: Return X509 certificate chain as the subject token. #1746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 12, 2025
Merged

feat: Return X509 certificate chain as the subject token. #1746

merged 8 commits into from
May 12, 2025

Conversation

nbayati
Copy link
Contributor

@nbayati nbayati commented May 7, 2025

design: go/x509-auth-lib-redesign

The CertificateIdentityPoolSubjectTokenSupplier's subjectToken function now returns the full X509 certificate chain, including the leaf certificate and any provided trust chain certificates, as a JSON array of base64-encoded strings. This chain is used as the subject token for mTLS authentication.

Similar work was done in the python and Go libraries.

@nbayati
feat: Return X.509 certificate chain as subject token.
acb026f 
The CertificateIdentityPoolSubjectTokenSupplier's subjectToken function now returns the full X.509 certificate chain, including the leaf certificate and any provided trust chain certificates, as a JSON array of base64-encoded strings. This chain is used as the subject token for mTLS authentication.
@nbayati nbayati requested review from a team as code owners May 7, 2025 18:07
@product-auto-label product-auto-label bot added the size: l Pull request size is large. label May 7, 2025
@nbayati nbayati requested review from lsirac, andyrzhao, lqiu96 and zhumin8 May 7, 2025 18:07
@nbayati nbayati requested a review from lqiu96 May 9, 2025 00:06
andyrzhao
andyrzhao approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some minor comments.

oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Outdated Show resolved Hide resolved
oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Show resolved Hide resolved
@nbayati nbayati requested a review from lqiu96 May 9, 2025 18:58
@nbayati nbayati requested a review from zhumin8 May 9, 2025 20:37
zhumin8
zhumin8 reviewed May 9, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Outdated Show resolved Hide resolved
oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Outdated Show resolved Hide resolved
oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Outdated Show resolved Hide resolved
oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java Outdated Show resolved Hide resolved
lqiu96
lqiu96 reviewed May 9, 2025
View reviewed changes
oauth2_http/testresources/trust_chain_with_leaf.pem Show resolved Hide resolved
lqiu96
lqiu96 approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@lqiu96 lqiu96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM. Added a few clarifying nits in the tests, but everything else is fine.

Leaving this up to @zhumin8 for final approval. She can help coordinate if this going into the next release cycle or the one after it.

@nbayati nbayati requested a review from zhumin8 May 9, 2025 23:49
@nbayati nbayati mentioned this pull request May 9, 2025
Open
@nbayati nbayati requested a review from zhumin8 May 12, 2025 18:00
zhumin8
zhumin8 approved these changes May 12, 2025
View reviewed changes
Copy link
Contributor

@zhumin8 zhumin8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nbayati nbayati merged commit 6d05be8 into googleapis:main May 12, 2025
20 of 22 checks passed
@release-please release-please bot mentioned this pull request May 12, 2025
Merged
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request May 13, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
e9a4c6b 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.34.0` -> `1.35.0` |
|
[com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.34.0` -> `1.35.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
| [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |

---

### Release Notes

<details>
<summary>googleapis/google-auth-library-java
(com.google.auth:google-auth-library-oauth2-http)</summary>

###
[`v1.35.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1350-2025-05-12)

##### Features

- Add support for mTLS authentication via X.509 certificates
([#&#8203;1736](googleapis/google-auth-library-java#1736))
([b347603](googleapis/google-auth-library-java@b347603))
- Return X509 certificate chain as the subject token.
([#&#8203;1746](googleapis/google-auth-library-java#1746))
([6d05be8](googleapis/google-auth-library-java@6d05be8))

##### Bug Fixes

- Handle optional fields in ExternalAccountCredentials with null JSON
value gracefully
([#&#8203;1706](googleapis/google-auth-library-java#1706))
([f1f306d](googleapis/google-auth-library-java@f1f306d))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: abc60fba8102e94da5ecb2e7537ccaf5d3d8628f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhumin8 zhumin8 zhumin8 approved these changes

@lqiu96 lqiu96 lqiu96 approved these changes

@lsirac lsirac lsirac approved these changes

@andyrzhao andyrzhao andyrzhao approved these changes

Assignees
No one assigned
Labels
size: l Pull request size is large.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nbayati @zhumin8 @lqiu96 @lsirac @andyrzhao
Morty Proxy This is a proxified and sanitized view of the page, visit original site.