From 6960458778b16803ad3ce11c59fd10597f1e77b7 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Fri, 17 Apr 2015 15:41:36 -0700 Subject: [PATCH 1/7] Clarify auth test definitions --- doc/interop-test-descriptions.md | 49 +++++++++++++++++--------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index 3f5ce37e1ed..f37b1a22756 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -2,7 +2,7 @@ Interoperability Test Case Descriptions ======================================= Client and server use -[test.proto](https://github.com/grpc/grpc/blob/master/test/cpp/interop/test.proto) +[test.proto](https://github.com/grpc/grpc/blob/master/test/proto/test.proto) and the [gRPC over HTTP/2 v2 protocol](https://github.com/grpc/grpc-common/blob/master/PROTOCOL-HTTP2.md). @@ -30,6 +30,12 @@ Clients should accept these arguments: * Whether to replace platform root CAs with [ca.pem](https://github.com/grpc/grpc/blob/master/src/core/tsi/test_creds/ca.pem) as the CA root +* --default_service_account=ACCOUNT_EMAIL + * Email in the GCE default service account. Only applicable when running in GCE. +* --oauth_scope=SCOPE + * OAuth scope. For example, "https://www.googleapis.com/auth/xapi.zoo" +* --service_account_key_file=PATH + * The path to the service account JSON key file generated from GCE developer console. Clients must support TLS with ALPN. Clients must not disable certificate checking. @@ -259,8 +265,6 @@ Asserts: ### compute_engine_creds -Status: Not yet implementable - This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using Service @@ -270,12 +274,12 @@ with desired oauth scope. Server features: * [UnaryCall][] * [Compressable Payload][] -* SimpeResponse.username -* SimpleResponse.oauth_scope +* Echo authenticated username in SimpeResponse.username +* Echo OAuth scope SimpleResponse.oauth_scope Procedure: - 1. Client sets flags default_service_account with GCE service account name and - oauth_scope with the oauth scope to use. + 1. Client sets --default_service_account with GCE service account email and + --oauth_scope with the OAuth scope to use. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. 2. Client configures channel to use GCECredentials 3. Client calls UnaryCall on the channel with: @@ -293,16 +297,14 @@ Procedure: Asserts: * call was successful -* received SimpleResponse.username equals FLAGS_default_service_account -* received SimpleResponse.oauth_scope is in FLAGS_oauth_scope +* received SimpleResponse.username equals --default_service_account +* received SimpleResponse.oauth_scope is in --oauth_scope * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response ### service_account_creds -Status: Not yet implementable - This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT @@ -310,13 +312,12 @@ signing keys (redeemed for OAuth2 access tokens by the auth implementation) Server features: * [UnaryCall][] -* [Compressable Payload][] -* SimpleResponse.username -* SimpleResponse.oauth_scope +* [Compressable Payload][ +* Echo authenticated username in SimpeResponse.username +* Echo OAuth scope SimpleResponse.oauth_scope Procedure: - 1. Client sets flags service_account_key_file with the path to json key file, - oauth_scope to the oauth scope. + 1. Client sets --service_account_key_file with the path to a json key file downloaded from console.developers.google.com, and --oauth_scope to the oauth scope. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. 2. Client configures the channel to use ServiceAccountCredentials. 3. Client calls UnaryCall with: @@ -335,16 +336,14 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - FLAGS_service_account_key_file -* received SimpleResponse.oauth_scope is in FLAGS_oauth_scope + --service_account_key_file +* received SimpleResponse.oauth_scope is in --oauth_scope * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response ### jwt_token_creds -Status: Not yet implementable - This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT @@ -357,7 +356,7 @@ Server features: * SimpleResponse.oauth_scope Procedure: - 1. Client sets flags service_account_key_file with the path to json key file + 1. Client sets flags --service_account_key_file with the path to json key file downloaded from console.developers.google.com. 2. Client configures the channel to use JWTTokenCredentials. 3. Client calls UnaryCall with: @@ -375,7 +374,7 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - FLAGS_service_account_key_file + --service_account_key_file * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -621,7 +620,7 @@ response_type, then it should fail the RPC with INVALID_ARGUMENT. If the request sets fill_username, the server should return the client username it sees in field SimpleResponse.username. If the request sets fill_oauth_scope, -the server should return the oauth scope of the rpc in the form of "xapi_zoo" +the server should return the oauth scope of the rpc in the form of "xapi.zoo" in field SimpleResponse.oauth_scope. ### StreamingInputCall @@ -678,8 +677,12 @@ canonical form of the authenticated source. The canonical form is dependent on the authentication method, but is likely to be a base 10 integer identifier or an email address. +If a SimpleRequest has fill_oauth_scope=true and that request was successfully authenticated via OAuth, then the SimpleResponse should have oauth_scope filled with the scope of the method being invoked. + Discussion: Ideally, this would be communicated via metadata and not in the request/response, but we want to use this test in code paths that don't yet fully communicate metadata. + +The server side auth echoing is only implemented in the server sitting behind grpc-test.sandbox.google.com and is enabled only for UnaryCall. In this case the expected OAuth scope is "https://www.googleapis.com/auth/xapi.zoo". From 70b2e88219813aab03e2f13b95f4dc7b04d26ac1 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Fri, 17 Apr 2015 15:48:37 -0700 Subject: [PATCH 2/7] minor fixes --- doc/interop-test-descriptions.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index f37b1a22756..eca18f324de 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -31,7 +31,7 @@ Clients should accept these arguments: [ca.pem](https://github.com/grpc/grpc/blob/master/src/core/tsi/test_creds/ca.pem) as the CA root * --default_service_account=ACCOUNT_EMAIL - * Email in the GCE default service account. Only applicable when running in GCE. + * Email of the GCE default service account. Only applicable when running in GCE. * --oauth_scope=SCOPE * OAuth scope. For example, "https://www.googleapis.com/auth/xapi.zoo" * --service_account_key_file=PATH @@ -274,12 +274,12 @@ with desired oauth scope. Server features: * [UnaryCall][] * [Compressable Payload][] -* Echo authenticated username in SimpeResponse.username -* Echo OAuth scope SimpleResponse.oauth_scope +* Echoes authenticated username in SimpeResponse.username +* Echoes OAuth scope in SimpleResponse.oauth_scope Procedure: 1. Client sets --default_service_account with GCE service account email and - --oauth_scope with the OAuth scope to use. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. + --oauth_scope with the OAuth scope to use. For testing against https://grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. 2. Client configures channel to use GCECredentials 3. Client calls UnaryCall on the channel with: @@ -312,12 +312,12 @@ signing keys (redeemed for OAuth2 access tokens by the auth implementation) Server features: * [UnaryCall][] -* [Compressable Payload][ -* Echo authenticated username in SimpeResponse.username -* Echo OAuth scope SimpleResponse.oauth_scope +* [Compressable Payload][] +* Echoes authenticated username in SimpeResponse.username +* Echoes OAuth scope in SimpleResponse.oauth_scope Procedure: - 1. Client sets --service_account_key_file with the path to a json key file downloaded from console.developers.google.com, and --oauth_scope to the oauth scope. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. + 1. Client sets --service_account_key_file with the path to a json key file downloaded from https://console.developers.google.com, and --oauth_scope to the oauth scope. For testing against https://grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. 2. Client configures the channel to use ServiceAccountCredentials. 3. Client calls UnaryCall with: @@ -356,7 +356,7 @@ Server features: * SimpleResponse.oauth_scope Procedure: - 1. Client sets flags --service_account_key_file with the path to json key file downloaded from console.developers.google.com. + 1. Client sets flags --service_account_key_file with the path to json key file downloaded from https://console.developers.google.com. 2. Client configures the channel to use JWTTokenCredentials. 3. Client calls UnaryCall with: @@ -685,4 +685,4 @@ Ideally, this would be communicated via metadata and not in the request/response, but we want to use this test in code paths that don't yet fully communicate metadata. -The server side auth echoing is only implemented in the server sitting behind grpc-test.sandbox.google.com and is enabled only for UnaryCall. In this case the expected OAuth scope is "https://www.googleapis.com/auth/xapi.zoo". +The server side auth echoing is only implemented in the server sitting behind https://grpc-test.sandbox.google.com and is enabled only for UnaryCall. In this case the expected OAuth scope is "https://www.googleapis.com/auth/xapi.zoo". From 4bb08aefa7e590eacb62f1ddaa749a46d0dd6382 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Fri, 17 Apr 2015 16:38:56 -0700 Subject: [PATCH 3/7] resolve comments --- doc/interop-test-descriptions.md | 82 ++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 31 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index eca18f324de..7816991a7b1 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -31,11 +31,13 @@ Clients should accept these arguments: [ca.pem](https://github.com/grpc/grpc/blob/master/src/core/tsi/test_creds/ca.pem) as the CA root * --default_service_account=ACCOUNT_EMAIL - * Email of the GCE default service account. Only applicable when running in GCE. + * Email of the GCE default service account. Only applicable when running in + GCE. * --oauth_scope=SCOPE * OAuth scope. For example, "https://www.googleapis.com/auth/xapi.zoo" * --service_account_key_file=PATH - * The path to the service account JSON key file generated from GCE developer console. + * The path to the service account JSON key file generated from GCE developer + console. Clients must support TLS with ALPN. Clients must not disable certificate checking. @@ -271,17 +273,20 @@ This test verifies unary calls succeed in sending messages while using Service Credentials from GCE metadata server. The client instance needs to be created with desired oauth scope. +The test sets ```--default_service_account``` with GCE service account email and +```--oauth_scope``` with the OAuth scope to use. For testing against +grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should +be passed in as ```--oauth_scope```. + Server features: * [UnaryCall][] * [Compressable Payload][] -* Echoes authenticated username in SimpeResponse.username -* Echoes OAuth scope in SimpleResponse.oauth_scope +* [Echo Username][] +* [Echo OAuth Scope][] Procedure: - 1. Client sets --default_service_account with GCE service account email and - --oauth_scope with the OAuth scope to use. For testing against https://grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. - 2. Client configures channel to use GCECredentials - 3. Client calls UnaryCall on the channel with: + 1. Client configures channel to use GCECredentials + 2. Client calls UnaryCall on the channel with: ``` { @@ -297,8 +302,8 @@ Procedure: Asserts: * call was successful -* received SimpleResponse.username equals --default_service_account -* received SimpleResponse.oauth_scope is in --oauth_scope +* received SimpleResponse.username equals the value of ```--default_service_account``` flag +* received SimpleResponse.oauth_scope is in ```--oauth_scope``` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -310,16 +315,21 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT signing keys (redeemed for OAuth2 access tokens by the auth implementation) +The test sets ```--service_account_key_file``` with the path to a json key file +downloaded from https://console.developers.google.com, and ```--oauth_scope``` +to the oauth scope. For testing against grpc-test.sandbox.google.com, +"https://www.googleapis.com/auth/xapi.zoo" should be passed in as +```--oauth_scope```. + Server features: * [UnaryCall][] * [Compressable Payload][] -* Echoes authenticated username in SimpeResponse.username -* Echoes OAuth scope in SimpleResponse.oauth_scope +* [Echo Username][] +* [Echo OAuth Scope][] Procedure: - 1. Client sets --service_account_key_file with the path to a json key file downloaded from https://console.developers.google.com, and --oauth_scope to the oauth scope. For testing against https://grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as --oauth_scope. - 2. Client configures the channel to use ServiceAccountCredentials. - 3. Client calls UnaryCall with: + 1. Client configures the channel to use ServiceAccountCredentials. + 2. Client calls UnaryCall with: ``` { @@ -336,8 +346,8 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - --service_account_key_file -* received SimpleResponse.oauth_scope is in --oauth_scope + ```--service_account_key_file``` +* received SimpleResponse.oauth_scope is in ```--oauth_scope``` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -349,16 +359,18 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT token (created by the project's key file) +Client sets flag ```--service_account_key_file``` with the path to json key +file downloaded from https://console.developers.google.com. + Server features: * [UnaryCall][] * [Compressable Payload][] -* SimpleResponse.username -* SimpleResponse.oauth_scope +* [Echo Username][] +* [Echo OAuth Scope][] Procedure: - 1. Client sets flags --service_account_key_file with the path to json key file downloaded from https://console.developers.google.com. - 2. Client configures the channel to use JWTTokenCredentials. - 3. Client calls UnaryCall with: + 1. Client configures the channel to use JWTTokenCredentials. + 2. Client calls UnaryCall with: ``` { @@ -374,7 +386,7 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - --service_account_key_file + ```--service_account_key_file``` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -393,7 +405,8 @@ Server features: back to client in both header and trailer. (TODO: this is not defined) Procedure: - 1. While sending custom metadata (ascii + binary) in the header, client calls UnaryCall with: + 1. While sending custom metadata (ascii + binary) in the header, client calls + UnaryCall with: ``` { @@ -618,11 +631,6 @@ payload body of size SimpleRequest.response_size bytes and type as appropriate for the SimpleRequest.response_type. If the server does not support the response_type, then it should fail the RPC with INVALID_ARGUMENT. -If the request sets fill_username, the server should return the client username -it sees in field SimpleResponse.username. If the request sets fill_oauth_scope, -the server should return the oauth scope of the rpc in the form of "xapi.zoo" -in field SimpleResponse.oauth_scope. - ### StreamingInputCall [StreamingInputCall]: #streaminginputcall @@ -671,13 +679,26 @@ Interaction with flow control is unspecified. Status: Pending +#### Echo authenticated user name +[Echo Username]: #echo-username + If a SimpleRequest has fill_username=true and that request was successfully authenticated, then the SimpleResponse should have username filled with the canonical form of the authenticated source. The canonical form is dependent on the authentication method, but is likely to be a base 10 integer identifier or an email address. -If a SimpleRequest has fill_oauth_scope=true and that request was successfully authenticated via OAuth, then the SimpleResponse should have oauth_scope filled with the scope of the method being invoked. +#### Echo OAuth scope +[Echo OAuth Scope]: #echo-oauth-scope + +If a SimpleRequest has fill_oauth_scope=true and that request was successfully +authenticated via OAuth, then the SimpleResponse should have oauth_scope filled +with the scope of the method being invoked. + +Although a general server-side feature, most test servers won't implement this +feature. The TLS server grpc-test.sandbox.google.com:443 supports this feature. +It requires at least the OAuth scope +```https://www.googleapis.com/auth/xapi.zoo``` for authentication to succeed. Discussion: @@ -685,4 +706,3 @@ Ideally, this would be communicated via metadata and not in the request/response, but we want to use this test in code paths that don't yet fully communicate metadata. -The server side auth echoing is only implemented in the server sitting behind https://grpc-test.sandbox.google.com and is enabled only for UnaryCall. In this case the expected OAuth scope is "https://www.googleapis.com/auth/xapi.zoo". From ae972b2d34e9b85b1eb8d7ed02ed8f53452c6334 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Fri, 17 Apr 2015 16:48:13 -0700 Subject: [PATCH 4/7] Update interop-test-descriptions.md resolve comments --- doc/interop-test-descriptions.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index 7816991a7b1..d40da2df0f9 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -281,7 +281,7 @@ be passed in as ```--oauth_scope```. Server features: * [UnaryCall][] * [Compressable Payload][] -* [Echo Username][] +* [Echo Authenticated Username][] * [Echo OAuth Scope][] Procedure: @@ -318,13 +318,13 @@ signing keys (redeemed for OAuth2 access tokens by the auth implementation) The test sets ```--service_account_key_file``` with the path to a json key file downloaded from https://console.developers.google.com, and ```--oauth_scope``` to the oauth scope. For testing against grpc-test.sandbox.google.com, -"https://www.googleapis.com/auth/xapi.zoo" should be passed in as -```--oauth_scope```. +"https://www.googleapis.com/auth/xapi.zoo" should be passed in +as ```--oauth_scope```. Server features: * [UnaryCall][] * [Compressable Payload][] -* [Echo Username][] +* [Echo Authenticated Username][] * [Echo OAuth Scope][] Procedure: @@ -365,7 +365,7 @@ file downloaded from https://console.developers.google.com. Server features: * [UnaryCall][] * [Compressable Payload][] -* [Echo Username][] +* [Echo Authenticated Username][] * [Echo OAuth Scope][] Procedure: @@ -679,8 +679,8 @@ Interaction with flow control is unspecified. Status: Pending -#### Echo authenticated user name -[Echo Username]: #echo-username +#### Echo Authenticated Username +[Echo Authenticated Username]: #echo-username If a SimpleRequest has fill_username=true and that request was successfully authenticated, then the SimpleResponse should have username filled with the From 0d197edceae28a7c2de4beb1ade7d55d616d08f9 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Mon, 20 Apr 2015 13:09:37 -0700 Subject: [PATCH 5/7] Update interop-test-descriptions.md --- doc/interop-test-descriptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index d40da2df0f9..0839d0ad5c5 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -273,7 +273,7 @@ This test verifies unary calls succeed in sending messages while using Service Credentials from GCE metadata server. The client instance needs to be created with desired oauth scope. -The test sets ```--default_service_account``` with GCE service account email and +The test uses ```--default_service_account``` with GCE service account email and ```--oauth_scope``` with the OAuth scope to use. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in as ```--oauth_scope```. @@ -315,7 +315,7 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT signing keys (redeemed for OAuth2 access tokens by the auth implementation) -The test sets ```--service_account_key_file``` with the path to a json key file +The test uses ```--service_account_key_file``` with the path to a json key file downloaded from https://console.developers.google.com, and ```--oauth_scope``` to the oauth scope. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in @@ -680,7 +680,7 @@ Interaction with flow control is unspecified. Status: Pending #### Echo Authenticated Username -[Echo Authenticated Username]: #echo-username +[Echo Authenticated Username]: #echo-authenticated-username If a SimpleRequest has fill_username=true and that request was successfully authenticated, then the SimpleResponse should have username filled with the From 0464af155c93b510fd3e0383a9fc686741286fc9 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Mon, 20 Apr 2015 13:41:13 -0700 Subject: [PATCH 6/7] Update interop-test-descriptions.md --- doc/interop-test-descriptions.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index 0839d0ad5c5..2609e7fc952 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -31,8 +31,8 @@ Clients should accept these arguments: [ca.pem](https://github.com/grpc/grpc/blob/master/src/core/tsi/test_creds/ca.pem) as the CA root * --default_service_account=ACCOUNT_EMAIL - * Email of the GCE default service account. Only applicable when running in - GCE. + * Email of the GCE default service account. Only applicable + for compute_engine_creds test. * --oauth_scope=SCOPE * OAuth scope. For example, "https://www.googleapis.com/auth/xapi.zoo" * --service_account_key_file=PATH @@ -346,7 +346,7 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - ```--service_account_key_file``` + ```--service_account_key_file``` * received SimpleResponse.oauth_scope is in ```--oauth_scope``` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero @@ -359,8 +359,9 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT token (created by the project's key file) -Client sets flag ```--service_account_key_file``` with the path to json key -file downloaded from https://console.developers.google.com. +Test caller should set flag ```--service_account_key_file``` with the +path to json key file downloaded from +https://console.developers.google.com. Server features: * [UnaryCall][] From 6851451fb788c38dca30dcd79f7737b12f351648 Mon Sep 17 00:00:00 2001 From: Yang Gao Date: Mon, 20 Apr 2015 15:12:05 -0700 Subject: [PATCH 7/7] Update interop-test-descriptions.md --- doc/interop-test-descriptions.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/interop-test-descriptions.md b/doc/interop-test-descriptions.md index 2609e7fc952..f67cefadd18 100644 --- a/doc/interop-test-descriptions.md +++ b/doc/interop-test-descriptions.md @@ -273,10 +273,10 @@ This test verifies unary calls succeed in sending messages while using Service Credentials from GCE metadata server. The client instance needs to be created with desired oauth scope. -The test uses ```--default_service_account``` with GCE service account email and -```--oauth_scope``` with the OAuth scope to use. For testing against +The test uses `--default_service_account` with GCE service account email and +`--oauth_scope` with the OAuth scope to use. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should -be passed in as ```--oauth_scope```. +be passed in as `--oauth_scope`. Server features: * [UnaryCall][] @@ -302,8 +302,8 @@ Procedure: Asserts: * call was successful -* received SimpleResponse.username equals the value of ```--default_service_account``` flag -* received SimpleResponse.oauth_scope is in ```--oauth_scope``` +* received SimpleResponse.username equals the value of `--default_service_account` flag +* received SimpleResponse.oauth_scope is in `--oauth_scope` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -315,11 +315,11 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT signing keys (redeemed for OAuth2 access tokens by the auth implementation) -The test uses ```--service_account_key_file``` with the path to a json key file -downloaded from https://console.developers.google.com, and ```--oauth_scope``` +The test uses `--service_account_key_file` with the path to a json key file +downloaded from https://console.developers.google.com, and `--oauth_scope` to the oauth scope. For testing against grpc-test.sandbox.google.com, "https://www.googleapis.com/auth/xapi.zoo" should be passed in -as ```--oauth_scope```. +as `--oauth_scope`. Server features: * [UnaryCall][] @@ -346,8 +346,8 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - ```--service_account_key_file``` -* received SimpleResponse.oauth_scope is in ```--oauth_scope``` + `--service_account_key_file` +* received SimpleResponse.oauth_scope is in `--oauth_scope` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -359,7 +359,7 @@ This test is only for cloud-to-prod path. This test verifies unary calls succeed in sending messages while using JWT token (created by the project's key file) -Test caller should set flag ```--service_account_key_file``` with the +Test caller should set flag `--service_account_key_file` with the path to json key file downloaded from https://console.developers.google.com. @@ -387,7 +387,7 @@ Procedure: Asserts: * call was successful * received SimpleResponse.username is in the json key file read from - ```--service_account_key_file``` + `--service_account_key_file` * response payload body is 314159 bytes in size * clients are free to assert that the response payload body contents are zero and comparing the entire response message against a golden response @@ -699,7 +699,7 @@ with the scope of the method being invoked. Although a general server-side feature, most test servers won't implement this feature. The TLS server grpc-test.sandbox.google.com:443 supports this feature. It requires at least the OAuth scope -```https://www.googleapis.com/auth/xapi.zoo``` for authentication to succeed. +`https://www.googleapis.com/auth/xapi.zoo` for authentication to succeed. Discussion: