diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index c116a7a5854..9edd70f39d7 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -159,17 +159,9 @@ GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials* creds);
If nullptr is supplied, the returned channel credentials object will use a
call credentials object based on the Application Default Credentials
mechanism.
-
- user_provided_scope is an optional field for user to use in the JWT token to
- represent the scope field. It will only be used if a service account JWT
- access credential is created by the application default credentials
- mechanism. If user_provided_scope is not nullptr, the audience (service URL)
- field in the JWT token will be cleared, which is dictated by
- https://google.aip.dev/auth/4111. Also note that user_provided_scope will be
- ignored if the call_credentials is not nullptr.
*/
GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(
- grpc_call_credentials* call_credentials, const char* user_provided_scope);
+ grpc_call_credentials* call_credentials);
/** Callback for getting the SSL roots override from the application.
In case of success, *pem_roots_certs must be set to a NULL terminated string
@@ -332,16 +324,11 @@ GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void);
- json_key is the JSON key string containing the client's private key.
- token_lifetime is the lifetime of each Json Web Token (JWT) created with
this credentials. It should not exceed grpc_max_auth_token_lifetime or
- will be cropped to this value.
- - user_provided_scope is an optional field for user to use in the JWT token
- to represent the scope field.
- - clear_audience dictating the clearance of audience field when it
- is set to a non-zero value AND user_provided_scope is not nullptr.
- */
+ will be cropped to this value. */
GRPCAPI grpc_call_credentials*
-grpc_service_account_jwt_access_credentials_create(
- const char* json_key, gpr_timespec token_lifetime,
- const char* user_provided_scope, int clear_audience);
+grpc_service_account_jwt_access_credentials_create(const char* json_key,
+ gpr_timespec token_lifetime,
+ void* reserved);
/** Builds External Account credentials.
- json_string is the JSON string containing the credentials options.
diff --git a/include/grpcpp/security/credentials.h b/include/grpcpp/security/credentials.h
index 8516d62567d..1b1f994c1a9 100644
--- a/include/grpcpp/security/credentials.h
+++ b/include/grpcpp/security/credentials.h
@@ -172,19 +172,11 @@ struct SslCredentialsOptions {
/// Builds credentials with reasonable defaults.
///
-/// user_provided_scope is an optional field for user to use to represent the
-/// scope field in the JWT token. It will only be used if a service account JWT
-/// access credential is created by the application default credentials
-/// mechanism. If user_provided_scope is not empty, the audience (service URL)
-/// field in the JWT token will be cleared, which is dictated by
-/// https://google.aip.dev/auth/4111.
-///
/// \warning Only use these credentials when connecting to a Google endpoint.
/// Using these credentials to connect to any other service may result in this
/// service being able to impersonate your client for requests to Google
/// services.
-std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials(
- const grpc::string& user_provided_scope = "");
+std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials();
/// Builds SSL Credentials given SSL specific options
std::shared_ptr<ChannelCredentials> SslCredentials(
@@ -205,15 +197,9 @@ constexpr long kMaxAuthTokenLifetimeSecs = 3600;
/// token_lifetime_seconds is the lifetime in seconds of each Json Web Token
/// (JWT) created with this credentials. It should not exceed
/// \a kMaxAuthTokenLifetimeSecs or will be cropped to this value.
-/// user_provided_scope is an optional field for user to use to represent the
-/// scope field in the JWT token.
-/// clear_audience is a boolean field that dictates clearing audience
-/// field in the JWT token when it is set to true AND user_provided_scope is
-/// not empty. */
std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
const grpc::string& json_key,
- long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs,
- const grpc::string& user_provided_scope = "", bool clear_audience = false);
+ long token_lifetime_seconds = kMaxAuthTokenLifetimeSecs);
/// Builds refresh token credentials.
/// json_refresh_token is the JSON string containing the refresh token along
diff --git a/src/core/ext/xds/xds_bootstrap.cc b/src/core/ext/xds/xds_bootstrap.cc
index 57ae8e5138f..d64ab35cc92 100644
--- a/src/core/ext/xds/xds_bootstrap.cc
+++ b/src/core/ext/xds/xds_bootstrap.cc
@@ -59,7 +59,7 @@ RefCountedPtr<grpc_channel_credentials>
XdsChannelCredsRegistry::MakeChannelCreds(const std::string& creds_type,
const Json& /*config*/) {
if (creds_type == "google_default") {
- return grpc_google_default_credentials_create(nullptr, nullptr);
+ return grpc_google_default_credentials_create(nullptr);
} else if (creds_type == "insecure") {
return grpc_insecure_credentials_create();
} else if (creds_type == "fake") {
diff --git a/src/core/lib/security/credentials/google_default/google_default_credentials.cc b/src/core/lib/security/credentials/google_default/google_default_credentials.cc
index 483a68cb74a..93fdd5323e1 100644
--- a/src/core/lib/security/credentials/google_default/google_default_credentials.cc
+++ b/src/core/lib/security/credentials/google_default/google_default_credentials.cc
@@ -224,7 +224,7 @@ static int is_metadata_server_reachable() {
/* Takes ownership of creds_path if not NULL. */
static grpc_error_handle create_default_creds_from_path(
- const std::string& creds_path, const char* user_provided_scope,
+ const std::string& creds_path,
grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
grpc_auth_json_key key;
grpc_auth_refresh_token token;
@@ -250,11 +250,9 @@ static grpc_error_handle create_default_creds_from_path(
/* First, try an auth json key. */
key = grpc_auth_json_key_create_from_json(json);
if (grpc_auth_json_key_is_valid(&key)) {
- if (user_provided_scope == nullptr) user_provided_scope = "";
result =
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
- key, grpc_max_auth_token_lifetime(), user_provided_scope,
- true /* clear_audience */);
+ key, grpc_max_auth_token_lifetime());
if (result == nullptr) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"grpc_service_account_jwt_access_credentials_create_from_auth_json_"
@@ -308,15 +306,14 @@ static bool metadata_server_available() {
}
static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
- const char* user_provided_scope, grpc_error_handle* error) {
+ grpc_error_handle* error) {
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds;
grpc_error_handle err;
/* First, try the environment variable. */
char* path_from_env = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
if (path_from_env != nullptr) {
- err = create_default_creds_from_path(path_from_env, user_provided_scope,
- &call_creds);
+ err = create_default_creds_from_path(path_from_env, &call_creds);
gpr_free(path_from_env);
if (err == GRPC_ERROR_NONE) return call_creds;
*error = grpc_error_add_child(*error, err);
@@ -324,8 +321,7 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
/* Then the well-known file. */
err = create_default_creds_from_path(
- grpc_get_well_known_google_credentials_file_path(), user_provided_scope,
- &call_creds);
+ grpc_get_well_known_google_credentials_file_path(), &call_creds);
if (err == GRPC_ERROR_NONE) return call_creds;
*error = grpc_error_add_child(*error, err);
@@ -347,7 +343,7 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
}
grpc_channel_credentials* grpc_google_default_credentials_create(
- grpc_call_credentials* call_credentials, const char* user_provided_scope) {
+ grpc_call_credentials* call_credentials) {
grpc_channel_credentials* result = nullptr;
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
grpc_error_handle error = GRPC_ERROR_NONE;
@@ -357,7 +353,7 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
(call_credentials));
if (call_creds == nullptr) {
- call_creds = make_default_call_creds(user_provided_scope, &error);
+ call_creds = make_default_call_creds(&error);
}
if (call_creds != nullptr) {
diff --git a/src/core/lib/security/credentials/jwt/json_token.cc b/src/core/lib/security/credentials/jwt/json_token.cc
index 5ec5876f56f..5e317c490a5 100644
--- a/src/core/lib/security/credentials/jwt/json_token.cc
+++ b/src/core/lib/security/credentials/jwt/json_token.cc
@@ -165,8 +165,7 @@ static char* encoded_jwt_header(const char* key_id, const char* algorithm) {
static char* encoded_jwt_claim(const grpc_auth_json_key* json_key,
const char* audience,
- gpr_timespec token_lifetime, const char* scope,
- bool clear_audience) {
+ gpr_timespec token_lifetime, const char* scope) {
gpr_timespec now = gpr_now(GPR_CLOCK_REALTIME);
gpr_timespec expiration = gpr_time_add(now, token_lifetime);
if (gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime()) > 0) {
@@ -176,19 +175,15 @@ static char* encoded_jwt_claim(const grpc_auth_json_key* json_key,
Json::Object object = {
{"iss", json_key->client_email},
+ {"aud", audience},
{"iat", now.tv_sec},
{"exp", expiration.tv_sec},
};
-
if (scope != nullptr) {
object["scope"] = scope;
- if (!clear_audience) {
- object["aud"] = audience;
- }
} else {
/* Unscoped JWTs need a sub field. */
object["sub"] = json_key->client_email;
- object["aud"] = audience;
}
Json json(object);
@@ -269,8 +264,7 @@ end:
char* grpc_jwt_encode_and_sign(const grpc_auth_json_key* json_key,
const char* audience,
- gpr_timespec token_lifetime, const char* scope,
- bool clear_audience) {
+ gpr_timespec token_lifetime, const char* scope) {
if (g_jwt_encode_and_sign_override != nullptr) {
return g_jwt_encode_and_sign_override(json_key, audience, token_lifetime,
scope);
@@ -278,8 +272,7 @@ char* grpc_jwt_encode_and_sign(const grpc_auth_json_key* json_key,
const char* sig_algo = GRPC_JWT_RSA_SHA256_ALGORITHM;
char* to_sign = dot_concat_and_free_strings(
encoded_jwt_header(json_key->private_key_id, sig_algo),
- encoded_jwt_claim(json_key, audience, token_lifetime, scope,
- clear_audience));
+ encoded_jwt_claim(json_key, audience, token_lifetime, scope));
char* sig = compute_and_encode_signature(json_key, sig_algo, to_sign);
if (sig == nullptr) {
gpr_free(to_sign);
diff --git a/src/core/lib/security/credentials/jwt/json_token.h b/src/core/lib/security/credentials/jwt/json_token.h
index 7e312d3621e..b9a41c6b2b6 100644
--- a/src/core/lib/security/credentials/jwt/json_token.h
+++ b/src/core/lib/security/credentials/jwt/json_token.h
@@ -58,13 +58,10 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key);
/* --- json token encoding and signing. --- */
/* Caller is responsible for calling gpr_free on the returned value. May return
- NULL on invalid input. The scope parameter may be NULL. The
- clear_audience parameter dictates the clearing of audience field when
- it is set to a non-zero value AND scope is not nullptr. */
+ NULL on invalid input. The scope parameter may be NULL. */
char* grpc_jwt_encode_and_sign(const grpc_auth_json_key* json_key,
const char* audience,
- gpr_timespec token_lifetime, const char* scope,
- bool clear_audience);
+ gpr_timespec token_lifetime, const char* scope);
/* Override encode_and_sign function for testing. */
typedef char* (*grpc_jwt_encode_and_sign_override)(
diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.cc b/src/core/lib/security/credentials/jwt/jwt_credentials.cc
index 94b3fd6c951..27590f4baf5 100644
--- a/src/core/lib/security/credentials/jwt/jwt_credentials.cc
+++ b/src/core/lib/security/credentials/jwt/jwt_credentials.cc
@@ -62,17 +62,13 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
grpc_closure* /*on_request_metadata*/, grpc_error_handle* error) {
gpr_timespec refresh_threshold = gpr_time_from_seconds(
GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN);
- absl::string_view scope = user_provided_scope_;
+
/* See if we can return a cached jwt. */
grpc_mdelem jwt_md = GRPC_MDNULL;
{
gpr_mu_lock(&cache_mu_);
- // We use the cached token if
- // 1) cached_.service_url is equal to context.service_url OR
- // 2) scope is not emtpy AND clear_audience_ is a non-zero value.
if (cached_.service_url != nullptr &&
- (strcmp(cached_.service_url, context.service_url) == 0 ||
- (!scope.empty() && clear_audience_)) &&
+ strcmp(cached_.service_url, context.service_url) == 0 &&
!GRPC_MDISNULL(cached_.jwt_md) &&
(gpr_time_cmp(
gpr_time_sub(cached_.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)),
@@ -88,8 +84,7 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
gpr_mu_lock(&cache_mu_);
reset_cache();
jwt = grpc_jwt_encode_and_sign(&key_, context.service_url, jwt_lifetime_,
- scope.empty() ? nullptr : scope.data(),
- clear_audience_);
+ nullptr);
if (jwt != nullptr) {
std::string md_value = absl::StrCat("Bearer ", jwt);
gpr_free(jwt);
@@ -120,13 +115,8 @@ void grpc_service_account_jwt_access_credentials::cancel_get_request_metadata(
grpc_service_account_jwt_access_credentials::
grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
- gpr_timespec token_lifetime,
- std::string user_provided_scope,
- bool clear_audience)
- : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT),
- key_(key),
- user_provided_scope_(std::move(user_provided_scope)),
- clear_audience_(clear_audience) {
+ gpr_timespec token_lifetime)
+ : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT), key_(key) {
gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
gpr_log(GPR_INFO,
@@ -141,14 +131,13 @@ grpc_service_account_jwt_access_credentials::
grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
- grpc_auth_json_key key, gpr_timespec token_lifetime,
- std::string user_provided_scope, bool clear_audience) {
+ grpc_auth_json_key key, gpr_timespec token_lifetime) {
if (!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
return nullptr;
}
return grpc_core::MakeRefCounted<grpc_service_account_jwt_access_credentials>(
- key, token_lifetime, std::move(user_provided_scope), clear_audience);
+ key, token_lifetime);
}
static char* redact_private_key(const char* json_key) {
@@ -163,8 +152,7 @@ static char* redact_private_key(const char* json_key) {
}
grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
- const char* json_key, gpr_timespec token_lifetime,
- const char* user_provided_scope, int clear_audience) {
+ const char* json_key, gpr_timespec token_lifetime, void* reserved) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_api_trace)) {
char* clean_json = redact_private_key(json_key);
gpr_log(GPR_INFO,
@@ -173,18 +161,15 @@ grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
"token_lifetime="
"gpr_timespec { tv_sec: %" PRId64
", tv_nsec: %d, clock_type: %d }, "
- "user_provided_scope=%s, "
- "clear_audience=%d)",
+ "reserved=%p)",
clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec,
- static_cast<int>(token_lifetime.clock_type), user_provided_scope,
- clear_audience);
+ static_cast<int>(token_lifetime.clock_type), reserved);
gpr_free(clean_json);
}
+ GPR_ASSERT(reserved == nullptr);
grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
grpc_core::ExecCtx exec_ctx;
- if (user_provided_scope == nullptr) user_provided_scope = "";
return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
- grpc_auth_json_key_create_from_string(json_key), token_lifetime,
- user_provided_scope, clear_audience)
+ grpc_auth_json_key_create_from_string(json_key), token_lifetime)
.release();
}
diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.h b/src/core/lib/security/credentials/jwt/jwt_credentials.h
index 0d3e378e963..5ae4c1f41fd 100644
--- a/src/core/lib/security/credentials/jwt/jwt_credentials.h
+++ b/src/core/lib/security/credentials/jwt/jwt_credentials.h
@@ -34,9 +34,7 @@ class grpc_service_account_jwt_access_credentials
: public grpc_call_credentials {
public:
grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
- gpr_timespec token_lifetime,
- std::string user_provided_scope,
- bool clear_audience);
+ gpr_timespec token_lifetime);
~grpc_service_account_jwt_access_credentials() override;
bool get_request_metadata(grpc_polling_entity* pollent,
@@ -50,9 +48,7 @@ class grpc_service_account_jwt_access_credentials
const gpr_timespec& jwt_lifetime() const { return jwt_lifetime_; }
const grpc_auth_json_key& key() const { return key_; }
- const std::string& user_provided_scope() const {
- return user_provided_scope_;
- }
+
std::string debug_string() override {
return absl::StrFormat(
"JWTAccessCredentials{ExpirationTime:%s}",
@@ -74,15 +70,12 @@ class grpc_service_account_jwt_access_credentials
grpc_auth_json_key key_;
gpr_timespec jwt_lifetime_;
- std::string user_provided_scope_;
- bool clear_audience_;
};
// Private constructor for jwt credentials from an already parsed json key.
// Takes ownership of the key.
grpc_core::RefCountedPtr<grpc_call_credentials>
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
- grpc_auth_json_key key, gpr_timespec token_lifetime,
- std::string user_provided_scope, bool clear_audience);
+ grpc_auth_json_key key, gpr_timespec token_lifetime);
#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_CREDENTIALS_H */
diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc
index 58e8c6cf449..e743165c518 100644
--- a/src/cpp/client/secure_credentials.cc
+++ b/src/cpp/client/secure_credentials.cc
@@ -103,13 +103,10 @@ std::shared_ptr<CallCredentials> WrapCallCredentials(
}
} // namespace
-std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials(
- const grpc::string& user_provided_scope) {
+std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
grpc::GrpcLibraryCodegen init; // To call grpc_init().
return internal::WrapChannelCredentials(
- grpc_google_default_credentials_create(
- nullptr,
- user_provided_scope.empty() ? nullptr : user_provided_scope.c_str()));
+ grpc_google_default_credentials_create(nullptr));
}
std::shared_ptr<CallCredentials> ExternalAccountCredentials(
@@ -323,8 +320,7 @@ std::shared_ptr<CallCredentials> GoogleComputeEngineCredentials() {
// Builds JWT credentials.
std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
- const std::string& json_key, long token_lifetime_seconds,
- const grpc::string& user_provided_scope, bool clear_audience) {
+ const std::string& json_key, long token_lifetime_seconds) {
grpc::GrpcLibraryCodegen init; // To call grpc_init().
if (token_lifetime_seconds <= 0) {
gpr_log(GPR_ERROR,
@@ -334,9 +330,7 @@ std::shared_ptr<CallCredentials> ServiceAccountJWTAccessCredentials(
gpr_timespec lifetime =
gpr_time_from_seconds(token_lifetime_seconds, GPR_TIMESPAN);
return WrapCallCredentials(grpc_service_account_jwt_access_credentials_create(
- json_key.c_str(), lifetime,
- user_provided_scope.empty() ? nullptr : user_provided_scope.c_str(),
- clear_audience));
+ json_key.c_str(), lifetime, nullptr));
}
// Builds refresh token credentials.
diff --git a/src/php/ext/grpc/channel_credentials.c b/src/php/ext/grpc/channel_credentials.c
index ddf0881d0f2..34b4c826085 100644
--- a/src/php/ext/grpc/channel_credentials.c
+++ b/src/php/ext/grpc/channel_credentials.c
@@ -131,7 +131,7 @@ PHP_METHOD(ChannelCredentials, invalidateDefaultRootsPem) {
* @return ChannelCredentials The new default channel credentials object
*/
PHP_METHOD(ChannelCredentials, createDefault) {
- grpc_channel_credentials *creds = grpc_google_default_credentials_create(NULL, NULL);
+ grpc_channel_credentials *creds = grpc_google_default_credentials_create(NULL);
zval *creds_object = grpc_php_wrap_channel_credentials(creds, NULL, false
TSRMLS_CC);
RETURN_DESTROY_ZVAL(creds_object);
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
index 3d3804f985c..23de3a0b188 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
@@ -434,7 +434,7 @@ cdef class ComputeEngineChannelCredentials(ChannelCredentials):
raise ValueError("Call credentials may not be NULL.")
cdef grpc_channel_credentials *c(self) except *:
- self._c_creds = grpc_google_default_credentials_create(self._call_creds, NULL)
+ self._c_creds = grpc_google_default_credentials_create(self._call_creds)
return self._c_creds
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
index 39c51f2f624..6698dd6538f 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi
@@ -525,7 +525,7 @@ cdef extern from "grpc/grpc_security.h":
void grpc_set_ssl_roots_override_callback(
grpc_ssl_roots_override_callback cb) nogil
- grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials, const char* user_provided_scope) nogil
+ grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
grpc_channel_credentials *grpc_ssl_credentials_create(
const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
verify_peer_options *verify_options, void *reserved) nogil
@@ -551,7 +551,7 @@ cdef extern from "grpc/grpc_security.h":
void *reserved) nogil
grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
const char *json_key,
- gpr_timespec token_lifetime, const char* user_provided_scope, int clear_audience) nogil
+ gpr_timespec token_lifetime, void *reserved) nogil
grpc_call_credentials *grpc_google_refresh_token_credentials_create(
const char *json_refresh_token, void *reserved) nogil
grpc_call_credentials *grpc_google_iam_credentials_create(
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.h b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
index dbaa40e7f18..33c636de86b 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
@@ -353,7 +353,7 @@ extern grpc_call_credentials_release_type grpc_call_credentials_release_import;
typedef void(*grpc_channel_credentials_release_type)(grpc_channel_credentials* creds);
extern grpc_channel_credentials_release_type grpc_channel_credentials_release_import;
#define grpc_channel_credentials_release grpc_channel_credentials_release_import
-typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials, const char* user_provided_scope);
+typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials);
extern grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
#define grpc_google_default_credentials_create grpc_google_default_credentials_create_import
typedef void(*grpc_set_ssl_roots_override_callback_type)(grpc_ssl_roots_override_callback cb);
@@ -377,7 +377,7 @@ extern grpc_google_compute_engine_credentials_create_type grpc_google_compute_en
typedef gpr_timespec(*grpc_max_auth_token_lifetime_type)(void);
extern grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import;
#define grpc_max_auth_token_lifetime grpc_max_auth_token_lifetime_import
-typedef grpc_call_credentials*(*grpc_service_account_jwt_access_credentials_create_type)(const char* json_key, gpr_timespec token_lifetime, const char* user_provided_scope, int clear_audience);
+typedef grpc_call_credentials*(*grpc_service_account_jwt_access_credentials_create_type)(const char* json_key, gpr_timespec token_lifetime, void* reserved);
extern grpc_service_account_jwt_access_credentials_create_type grpc_service_account_jwt_access_credentials_create_import;
#define grpc_service_account_jwt_access_credentials_create grpc_service_account_jwt_access_credentials_create_import
typedef grpc_call_credentials*(*grpc_external_account_credentials_create_type)(const char* json_string, const char* scopes_string);
diff --git a/test/core/security/create_jwt.cc b/test/core/security/create_jwt.cc
index f0c808563b2..2ea640b605e 100644
--- a/test/core/security/create_jwt.cc
+++ b/test/core/security/create_jwt.cc
@@ -45,7 +45,7 @@ void create_jwt(const char* json_key_file_path, const char* service_url,
}
jwt = grpc_jwt_encode_and_sign(
&key, service_url == nullptr ? GRPC_JWT_OAUTH2_AUDIENCE : service_url,
- grpc_max_auth_token_lifetime(), scope, false);
+ grpc_max_auth_token_lifetime(), scope);
grpc_auth_json_key_destruct(&key);
if (jwt == nullptr) {
fprintf(stderr, "Could not create JWT.\n");
diff --git a/test/core/security/credentials_test.cc b/test/core/security/credentials_test.cc
index e9900e7e8b9..0533247a182 100644
--- a/test/core/security/credentials_test.cc
+++ b/test/core/security/credentials_test.cc
@@ -129,9 +129,6 @@ static const char test_signed_jwt_token_type[] =
static const char test_signed_jwt2[] =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM5YW"
"U2MDcyZTViYTdnZDkwODg5YzcifQ";
-static const char test_signed_jwt3[] =
- "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImY0OTRkN2M1YWU2MGRmOTcyNmM6YW"
- "U3MDcyZTViYTdnZDkwODg5YzcifR";
static const char test_signed_jwt_token_type2[] =
"urn:ietf:params:oauth:token-type:jwt";
static const char test_signed_jwt_path_prefix[] = "test_sign_jwt";
@@ -1299,16 +1296,6 @@ static char* encode_and_sign_jwt_success(const grpc_auth_json_key* json_key,
return gpr_strdup(test_signed_jwt);
}
-static char* encode_and_sign_jwt_with_scope_success(
- const grpc_auth_json_key* json_key, const char* /*audience*/,
- gpr_timespec token_lifetime, const char* scope) {
- if (strcmp(scope, test_scope) == 0) {
- validate_jwt_encode_and_sign_params(json_key, scope, token_lifetime);
- return gpr_strdup(test_signed_jwt3);
- }
- return nullptr;
-}
-
static char* encode_and_sign_jwt_failure(const grpc_auth_json_key* json_key,
const char* /*audience*/,
gpr_timespec token_lifetime,
@@ -1338,7 +1325,7 @@ static void test_jwt_creds_lifetime(void) {
// Max lifetime.
grpc_call_credentials* jwt_creds =
grpc_service_account_jwt_access_credentials_create(
- json_key_string, grpc_max_auth_token_lifetime(), nullptr, 0);
+ json_key_string, grpc_max_auth_token_lifetime(), nullptr);
GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
grpc_max_auth_token_lifetime()) == 0);
/* Check security level. */
@@ -1352,7 +1339,7 @@ static void test_jwt_creds_lifetime(void) {
gpr_timespec token_lifetime = {10, 0, GPR_TIMESPAN};
GPR_ASSERT(gpr_time_cmp(grpc_max_auth_token_lifetime(), token_lifetime) > 0);
jwt_creds = grpc_service_account_jwt_access_credentials_create(
- json_key_string, token_lifetime, nullptr, 0);
+ json_key_string, token_lifetime, nullptr);
GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
token_lifetime) == 0);
GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
@@ -1364,7 +1351,7 @@ static void test_jwt_creds_lifetime(void) {
gpr_timespec add_to_max = {10, 0, GPR_TIMESPAN};
token_lifetime = gpr_time_add(grpc_max_auth_token_lifetime(), add_to_max);
jwt_creds = grpc_service_account_jwt_access_credentials_create(
- json_key_string, token_lifetime, nullptr, 0);
+ json_key_string, token_lifetime, nullptr);
GPR_ASSERT(gpr_time_cmp(creds_as_jwt(jwt_creds)->jwt_lifetime(),
grpc_max_auth_token_lifetime()) == 0);
GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
@@ -1387,7 +1374,7 @@ static void test_jwt_creds_success(void) {
expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
grpc_call_credentials* creds =
grpc_service_account_jwt_access_credentials_create(
- json_key_string, grpc_max_auth_token_lifetime(), nullptr, 0);
+ json_key_string, grpc_max_auth_token_lifetime(), nullptr);
/* First request: jwt_encode_and_sign should be called. */
request_metadata_state* state =
@@ -1421,99 +1408,6 @@ static void test_jwt_creds_success(void) {
grpc_jwt_encode_and_sign_set_override(nullptr);
}
-static void test_jwt_creds_with_scope_success(void) {
- const char expected_creds_debug_string_prefix[] =
- "JWTAccessCredentials{ExpirationTime:";
-
- char* json_key_string = test_json_key_str();
- grpc_core::ExecCtx exec_ctx;
- grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
- nullptr, nullptr};
- std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt3);
- expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
- grpc_call_credentials* creds =
- grpc_service_account_jwt_access_credentials_create(
- json_key_string, grpc_max_auth_token_lifetime(), test_scope,
- 0 /* should_clear_audience*/);
-
- /* First request: jwt_encode_and_sign should be called. */
- request_metadata_state* state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_with_scope_success);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
-
- /* Second request: the cached token should be served directly. */
- state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- grpc_jwt_encode_and_sign_set_override(
- encode_and_sign_jwt_should_not_be_called);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
-
- /* Third request: Different service url so jwt_encode_and_sign should be
- called again (no caching). */
- state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- auth_md_ctx.service_url = other_test_service_url;
- grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_with_scope_success);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
- GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
- creds->debug_string().c_str(),
- strlen(expected_creds_debug_string_prefix)) == 0);
- creds->Unref();
- gpr_free(json_key_string);
- grpc_jwt_encode_and_sign_set_override(nullptr);
-}
-
-static void test_jwt_creds_no_audience_success(void) {
- const char expected_creds_debug_string_prefix[] =
- "JWTAccessCredentials{ExpirationTime:";
-
- char* json_key_string = test_json_key_str();
- grpc_core::ExecCtx exec_ctx;
- grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
- nullptr, nullptr};
- std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt3);
- expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
- grpc_call_credentials* creds =
- grpc_service_account_jwt_access_credentials_create(
- json_key_string, grpc_max_auth_token_lifetime(), test_scope,
- 1 /* should_clear_audience*/);
-
- /* First request: jwt_encode_and_sign should be called. */
- request_metadata_state* state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_with_scope_success);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
-
- /* Second request: the cached token should be served directly. */
- state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- grpc_jwt_encode_and_sign_set_override(
- encode_and_sign_jwt_should_not_be_called);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
-
- /* Third request: Different service url, but we still serve
- the cached token because we only use scope and ignore audience. */
- state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- auth_md_ctx.service_url = other_test_service_url;
- grpc_jwt_encode_and_sign_set_override(
- encode_and_sign_jwt_should_not_be_called);
- run_request_metadata_test(creds, auth_md_ctx, state);
- grpc_core::ExecCtx::Get()->Flush();
- GPR_ASSERT(strncmp(expected_creds_debug_string_prefix,
- creds->debug_string().c_str(),
- strlen(expected_creds_debug_string_prefix)) == 0);
- creds->Unref();
- gpr_free(json_key_string);
- grpc_jwt_encode_and_sign_set_override(nullptr);
-}
-
static void test_jwt_creds_signing_failure(void) {
const char expected_creds_debug_string_prefix[] =
"JWTAccessCredentials{ExpirationTime:";
@@ -1526,7 +1420,7 @@ static void test_jwt_creds_signing_failure(void) {
0);
grpc_call_credentials* creds =
grpc_service_account_jwt_access_credentials_create(
- json_key_string, grpc_max_auth_token_lifetime(), nullptr, 0);
+ json_key_string, grpc_max_auth_token_lifetime(), nullptr);
grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_failure);
run_request_metadata_test(creds, auth_md_ctx, state);
@@ -1570,7 +1464,7 @@ static void test_google_default_creds_auth_key(void) {
"json_key_google_default_creds", json_key);
gpr_free(json_key);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(nullptr, nullptr));
+ grpc_google_default_credentials_create(nullptr));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
@@ -1587,47 +1481,6 @@ static void test_google_default_creds_auth_key(void) {
gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
}
-static void test_google_default_creds_user_provided_scope(void) {
- grpc_core::ExecCtx exec_ctx;
- grpc_composite_channel_credentials* creds;
- char* json_key = test_json_key_str();
- grpc_flush_cached_google_default_credentials();
- set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
- g_test_gce_tenancy_checker_called = false;
- g_test_is_on_gce = true;
- set_google_default_creds_env_var_with_file_contents(
- "json_key_google_default_creds", json_key);
- gpr_free(json_key);
- creds = reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(nullptr, test_scope));
- auto* default_creds =
- reinterpret_cast<const grpc_google_default_channel_credentials*>(
- creds->inner_creds());
- GPR_ASSERT(default_creds->ssl_creds() != nullptr);
- grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
- nullptr, nullptr};
- std::string expected_md_value = absl::StrCat("Bearer ", test_signed_jwt3);
- expected_md emd[] = {{"authorization", expected_md_value.c_str()}};
- request_metadata_state* state =
- make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
- grpc_jwt_encode_and_sign_set_override(encode_and_sign_jwt_with_scope_success);
- run_request_metadata_test(
- const_cast<grpc_call_credentials*>(creds->call_creds()), auth_md_ctx,
- state);
- grpc_core::ExecCtx::Get()->Flush();
- auto* jwt =
- reinterpret_cast<const grpc_service_account_jwt_access_credentials*>(
- creds->call_creds());
- GPR_ASSERT(
- strcmp(jwt->key().client_id,
- "777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent.com") ==
- 0);
-
- GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
- creds->Unref();
- gpr_setenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); /* Reset. */
-}
-
static void test_google_default_creds_refresh_token(void) {
grpc_core::ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;
@@ -1635,7 +1488,7 @@ static void test_google_default_creds_refresh_token(void) {
set_google_default_creds_env_var_with_file_contents(
"refresh_token_google_default_creds", test_refresh_token_str);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(nullptr, nullptr));
+ grpc_google_default_credentials_create(nullptr));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
@@ -1686,7 +1539,7 @@ static void test_google_default_creds_gce(void) {
/* Simulate a successful detection of GCE. */
grpc_composite_channel_credentials* creds =
reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(nullptr, nullptr));
+ grpc_google_default_credentials_create(nullptr));
/* Verify that the default creds actually embeds a GCE creds. */
GPR_ASSERT(creds != nullptr);
@@ -1725,7 +1578,7 @@ static void test_google_default_creds_non_gce(void) {
httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* creds =
reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(nullptr, nullptr));
+ grpc_google_default_credentials_create(nullptr));
/* Verify that the default creds actually embeds a GCE creds. */
GPR_ASSERT(creds != nullptr);
GPR_ASSERT(creds->call_creds() != nullptr);
@@ -1763,12 +1616,10 @@ static void test_no_google_default_creds(void) {
default_creds_gce_detection_httpcli_get_failure_override,
httpcli_post_should_not_be_called);
/* Simulate a successful detection of GCE. */
- GPR_ASSERT(grpc_google_default_credentials_create(nullptr, nullptr) ==
- nullptr);
+ GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
/* Try a second one. GCE detection should occur again. */
g_test_gce_tenancy_checker_called = false;
- GPR_ASSERT(grpc_google_default_credentials_create(nullptr, nullptr) ==
- nullptr);
+ GPR_ASSERT(grpc_google_default_credentials_create(nullptr) == nullptr);
GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
/* Cleanup. */
grpc_override_well_known_credentials_path_getter(nullptr);
@@ -1794,7 +1645,7 @@ static void test_google_default_creds_call_creds_specified(void) {
httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* channel_creds =
reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(call_creds, nullptr));
+ grpc_google_default_credentials_create(call_creds));
GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
GPR_ASSERT(channel_creds != nullptr);
GPR_ASSERT(channel_creds->call_creds() != nullptr);
@@ -1853,8 +1704,7 @@ static void test_google_default_creds_not_default(void) {
httpcli_post_should_not_be_called);
grpc_composite_channel_credentials* channel_creds =
reinterpret_cast<grpc_composite_channel_credentials*>(
- grpc_google_default_credentials_create(call_creds.release(),
- nullptr));
+ grpc_google_default_credentials_create(call_creds.release()));
GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
GPR_ASSERT(channel_creds != nullptr);
GPR_ASSERT(channel_creds->call_creds() != nullptr);
@@ -3540,8 +3390,6 @@ int main(int argc, char** argv) {
test_sts_creds_token_file_not_found();
test_jwt_creds_lifetime();
test_jwt_creds_success();
- test_jwt_creds_with_scope_success();
- test_jwt_creds_no_audience_success();
test_jwt_creds_signing_failure();
test_google_default_creds_auth_key();
test_google_default_creds_refresh_token();
@@ -3550,7 +3398,6 @@ int main(int argc, char** argv) {
test_no_google_default_creds();
test_google_default_creds_call_creds_specified();
test_google_default_creds_not_default();
- test_google_default_creds_user_provided_scope();
test_metadata_plugin_success();
test_metadata_plugin_failure();
test_get_well_known_google_credentials_file_path();
diff --git a/test/core/security/json_token_test.cc b/test/core/security/json_token_test.cc
index 1235f10dbd9..1ded259b7f4 100644
--- a/test/core/security/json_token_test.cc
+++ b/test/core/security/json_token_test.cc
@@ -249,6 +249,7 @@ static void check_jwt_claim(const Json& claim, const char* expected_audience,
GPR_ASSERT(value.type() == Json::Type::STRING);
GPR_ASSERT(value.string_value() ==
"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount.com");
+
if (expected_scope != nullptr) {
GPR_ASSERT(object.find("sub") == object.end());
value = object["scope"];
@@ -262,13 +263,9 @@ static void check_jwt_claim(const Json& claim, const char* expected_audience,
GPR_ASSERT(value.string_value() == object["iss"].string_value());
}
- if (expected_audience != nullptr) {
- value = object["aud"];
- GPR_ASSERT(value.type() == Json::Type::STRING);
- GPR_ASSERT(value.string_value() == expected_audience);
- } else {
- GPR_ASSERT(object.find("aud") == object.end());
- }
+ value = object["aud"];
+ GPR_ASSERT(value.type() == Json::Type::STRING);
+ GPR_ASSERT(value.string_value() == expected_audience);
gpr_timespec expiration = gpr_time_0(GPR_CLOCK_REALTIME);
value = object["exp"];
@@ -315,31 +312,18 @@ static void check_jwt_signature(const char* b64_signature, RSA* rsa_key,
static char* service_account_creds_jwt_encode_and_sign(
const grpc_auth_json_key* key) {
return grpc_jwt_encode_and_sign(key, GRPC_JWT_OAUTH2_AUDIENCE,
- grpc_max_auth_token_lifetime(), test_scope,
- false);
-}
-
-static char* service_account_creds_no_audience_jwt_encode_and_sign(
- const grpc_auth_json_key* key) {
- return grpc_jwt_encode_and_sign(key, GRPC_JWT_OAUTH2_AUDIENCE,
- grpc_max_auth_token_lifetime(), test_scope,
- true);
+ grpc_max_auth_token_lifetime(), test_scope);
}
static char* jwt_creds_jwt_encode_and_sign(const grpc_auth_json_key* key) {
- return grpc_jwt_encode_and_sign(
- key, test_service_url, grpc_max_auth_token_lifetime(), nullptr, false);
+ return grpc_jwt_encode_and_sign(key, test_service_url,
+ grpc_max_auth_token_lifetime(), nullptr);
}
static void service_account_creds_check_jwt_claim(const Json& claim) {
check_jwt_claim(claim, GRPC_JWT_OAUTH2_AUDIENCE, test_scope);
}
-static void service_account_creds_no_audience_check_jwt_claim(
- const Json& claim) {
- check_jwt_claim(claim, nullptr, test_scope);
-}
-
static void jwt_creds_check_jwt_claim(const Json& claim) {
check_jwt_claim(claim, test_service_url, nullptr);
}
@@ -384,12 +368,6 @@ static void test_service_account_creds_jwt_encode_and_sign(void) {
service_account_creds_check_jwt_claim);
}
-static void test_service_account_creds_no_audience_jwt_encode_and_sign(void) {
- test_jwt_encode_and_sign(
- service_account_creds_no_audience_jwt_encode_and_sign,
- service_account_creds_no_audience_check_jwt_claim);
-}
-
static void test_jwt_creds_jwt_encode_and_sign(void) {
test_jwt_encode_and_sign(jwt_creds_jwt_encode_and_sign,
jwt_creds_check_jwt_claim);
@@ -464,7 +442,6 @@ int main(int argc, char** argv) {
test_parse_json_key_failure_no_private_key_id();
test_parse_json_key_failure_no_private_key();
test_service_account_creds_jwt_encode_and_sign();
- test_service_account_creds_no_audience_jwt_encode_and_sign();
test_jwt_creds_jwt_encode_and_sign();
test_parse_refresh_token_success();
test_parse_refresh_token_failure_no_type();
diff --git a/test/core/security/jwt_verifier_test.cc b/test/core/security/jwt_verifier_test.cc
index 0aff29b2795..21ed63fcfd1 100644
--- a/test/core/security/jwt_verifier_test.cc
+++ b/test/core/security/jwt_verifier_test.cc
@@ -383,7 +383,7 @@ static void test_jwt_verifier_google_email_issuer_success(void) {
grpc_httpcli_set_override(httpcli_get_google_keys_for_email,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != nullptr);
grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
@@ -417,7 +417,7 @@ static void test_jwt_verifier_custom_email_issuer_success(void) {
grpc_httpcli_set_override(httpcli_get_custom_keys_for_email,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != nullptr);
grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
@@ -465,7 +465,7 @@ static void test_jwt_verifier_url_issuer_success(void) {
grpc_httpcli_set_override(httpcli_get_openid_config,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != nullptr);
grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
@@ -505,7 +505,7 @@ static void test_jwt_verifier_url_issuer_bad_config(void) {
grpc_httpcli_set_override(httpcli_get_bad_json,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != nullptr);
grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
@@ -528,7 +528,7 @@ static void test_jwt_verifier_bad_json_key(void) {
grpc_httpcli_set_override(httpcli_get_bad_json,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != nullptr);
grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
@@ -579,7 +579,7 @@ static void test_jwt_verifier_bad_signature(void) {
grpc_httpcli_set_override(httpcli_get_openid_config,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
- nullptr, false);
+ nullptr);
grpc_auth_json_key_destruct(&key);
corrupt_jwt_sig(jwt);
GPR_ASSERT(jwt != nullptr);