AppEngineCredential depends on legacy bundled service

[yonghaoy]

Hello, we are upgrading GAE from Java 8 to 11 and also trying to get ride of legacy bundled service .

Here is how we generate default AccessToken today.

GoogleCredentials credentials = AppEngineCredentials.newBuilder().setScopes(scopes).setAppIdentityService(AppIdentityServiceFactory.getAppIdentityService()).build();

The reason we do it this way is because if using GoogleCredentials.getDefaulCredential, because the call to .createScoped will silently proceed by doing nothing?

Question:
1: How to use AppEngineCredentials without turning on legacy bundle? Because I get feature not enabled error when calling without turning it on
2: Do we still need to include appengine-sdk1.0 in our dependency? As those imports are there:

import com.google.appengine.api.appidentity.AppIdentityService;
import com.google.appengine.api.appidentity.AppIdentityService.GetAccessTokenResult;
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;

Thanks

[yonghaoy]

And why GoogleCredentials.getDefaulCredential does not work, I suspect it's related with
#1274

[arithmetic1728]

I guess you meant GoogleCredentials.getApplicationDefault method.

From the code, it looks like createScoped should work with GoogleCredentials.getApplicationDefault, if it returns an app engine credentials.

The getApplicationDefault code to get app engine cred:
https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L197-L199

App engine code to add scopes:
https://github.com/googleapis/google-auth-library-java/blob/main/appengine/java/com/google/auth/appengine/AppEngineCredentials.java#L94

For the Java specific question, I will leave it to our Java expert.

[yonghaoy]

createScoped does not work after upgrading from 1.11 to 1.24. I suspect that is similar to #1274...

For now, we have to bring back legacy service and use the old way to get a token that with scopes.
https://github.com/all-of-us/workbench/blob/727be385a0c5b3895ddf8650c4900aef4875a278/api/src/main/java/org/pmiops/workbench/auth/ServiceAccounts.java#L39L53

[yonghaoy]

Also for the code you pointed above: https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L197-L199
seems it only works for GAE 7 standard env? Is that right?

[lqiu96]

Hi @yonghaoy Sorry for the delay is response, but wanted to follow up to see if this is still an issue that you're seeing with App Engine.

The GAE 7 Standard check is something that we're trying to figure out and I've posed a question in #1376 as well. We'll try to figure out how to proceed with this since it seems to be a legacy thing.

createScoped does not work after upgrading from 1.11 to 1.24

Can you explain a bit more about what you mean by does not work? Is there a certain behavior that you were expecting? From reading the ticket you linked above, it seems like we've tried reproing this locally and are unable to reproduce this.

Can you try and use the latest versions of the auth library and let us know if you're still seeing this issue?

[yonghaoy]

Hey @lqiu96 thanks for checking back, it's been a while and I forgot the detail.
Trying to refresh my mind, and here is what I know so far:
1: We are still having this issue:
that means at least we still need to import legacy bundle dependency but we can not.
Reason we need legacy bundle service is the same - we can not ADC, we need to get GAE credential using this line

2: "does not work" meaning
Same as before, GoogleCredentials.getApplicationDefault.createScoped does nothing, silently does nothing.
❌Does not work: expected scope not present:

ADC.createScoped(https://www.googleapis.com/auth/cloud-billing)

✅ Current walk around - that's how we get billing scope:

AppEngineCredentials.newBuilder()
              .setScopes([scopes](https://www.googleapis.com/auth/cloud-billing))
              .setAppIdentityService(AppIdentityServiceFactory.getAppIdentityService())
              .build()

[lqiu96]

When you run GoogleCredentials.getApplicationDefault() in your env , what type of Credentials is returned to you? I know you're not doing this right now, but wanted to see what ADC would resolve for you.

What GAE env are you running on? I'm the potential issue may be related to the GAE 7 check we have.

does nothing, silently does nothing.

How are you verifying that the new Credentials contains the scopes you wanted? Can you show me the output of ADC.toString() before and after the calls to createScopes()?

i.e.

GoogleCredentials adc = GoogleCredentials.getApplicationDefault();
System.out.println(adc.toString());
GoogleCredetnials adcScoped = adc.createScoped({scopes});
System.out.println(adcScoped.toString());

I believe most Credential implementations of toString() should print the scopes.

[yonghaoy]

• We are on java17 standard
• How to tell: something similar to what you said. Add a breakpoint for before/after setting scope using ADC. printout token, then use https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= to check scopes.
• Not sure if this is being helpful, I suspect there is a change around 1.11 that breaks us, but I am not able to chase down the exact change except my linked issue above...