Skip to content

fix: disable RAB lookup for Domain-Wide Delegation#17763

Merged
nbayati merged 2 commits into
googleapis:mainfrom
nbayati:skip-rab-dwd
Jul 17, 2026
Merged

fix: disable RAB lookup for Domain-Wide Delegation#17763
nbayati merged 2 commits into
googleapis:mainfrom
nbayati:skip-rab-dwd

Conversation

@nbayati

@nbayati nbayati commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Updates credentials classes to skip building the Regional Access Boundary lookup URL when Domain-Wide Delegation (DWD) is active, as RAB does not apply to Workspace User Accounts via DWD.

Fixes #17703

Updates credentials classes to  skip building the Regional Access Boundary lookup URL when Domain-Wide Delegation (DWD) is active, as RAB does not apply to Workspace User Accounts via DWD.
@nbayati
nbayati requested review from a team as code owners July 17, 2026 07:35

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to bypass Regional Access Boundary (RAB) lookup when a subject is populated for Domain-wide Delegation across several credential classes. However, the reviewer pointed out that ImpersonatedCredentials does not support Domain-Wide Delegation or possess a _subject attribute, which will result in a runtime AttributeError. Consequently, the check in impersonated_credentials.py and its corresponding unit test should be removed.

Comment on lines +367 to +370
if self._subject:
# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Accessing self._subject on ImpersonatedCredentials will raise an AttributeError at runtime because _subject is not an attribute of this class. Furthermore, Domain-Wide Delegation (DWD) is not supported or applicable for impersonated credentials, so this check is unnecessary and should be removed.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that Gemini thinks this doesn't exist as an attribute of this class - I think it is just flat out wrong here, right?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, it's hallucinating. Unfortunately it seems to be an existing issue with the gemini reviewer on this PR that it checks the code that was modified and if it doesn't see something being imported or initialized in the new block, it doesn't check if it already existed in the file.

Comment on lines +762 to +765
def test_build_regional_access_boundary_lookup_url_with_subject(self):
credentials = self.make_credentials(subject="user@example.com")
assert credentials._build_regional_access_boundary_lookup_url() is None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since ImpersonatedCredentials does not support Domain-Wide Delegation or have a _subject attribute, this test is testing an invalid scenario and should be removed.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is based on the same incorrect assumption as the previous comment. _subject is supported and this test correctly verifies the expected behavior when Domain-Wide Delegation is used. Keeping this test as-is.

Comment on lines +367 to +370
if self._subject:
# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that Gemini thinks this doesn't exist as an attribute of this class - I think it is just flat out wrong here, right?


Returns None if the subject is populated.
"""
if self._subject and self._subject != self._issuer:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just double checking since this is a bit different than the impersonated credentials case where we just look at _subject being set - is this the canonical way for detecting "DwD" here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is intentional. In google.auth.jwt.Credentials (unlike service_account.Credentials or ImpersonatedCredentials), subject defaults to client_email (which is the issuer) if not provided. Therefore, self._subject is always populated, and we have to check self._subject != self._issuer to determine if DwD is actually being used. I'll add an inline comment here for our future reference.

@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jul 17, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jul 17, 2026
@nbayati
nbayati enabled auto-merge (squash) July 17, 2026 16:17
@nbayati
nbayati merged commit 00eb128 into googleapis:main Jul 17, 2026
40 checks passed
@release-please release-please Bot mentioned this pull request Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth: RAB lookup should be skipped in DwD flows

4 participants