Skip to content

fix(auth): Use public refresh method for source credentials in ImpersonatedCredentials #1884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nbayati merged 1 commit into from
Dec 9, 2025
Merged

fix(auth): Use public refresh method for source credentials in ImpersonatedCredentials #1884

nbayati merged 1 commit into from
Dec 9, 2025

Conversation

@nbayati
Copy link
Contributor

@nbayati nbayati commented Dec 9, 2025

This PR addresses a bug in ImpersonatedCredentials that causes a issues when the source_credential is of a type that does not implement the private _refresh_token method (for example, a custom credential type).

@nbayati nbayati requested review from a team as code owners December 9, 2025 19:08
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 9, 2025

Summary of Changes

Hello @nbayati, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug within the ImpersonatedCredentials class that previously caused failures when dealing with custom credential types. By switching from a private internal method call to a public refresh mechanism, the change ensures that ImpersonatedCredentials can correctly handle and refresh tokens for a broader range of source_credential implementations, enhancing the robustness and flexibility of the authentication flow.

Highlights

  • Credential Refresh Logic: Updated the ImpersonatedCredentials class to use the public refresh method instead of the private _refresh_token method on source_credentials.
  • Custom Credential Compatibility: Resolved an issue where ImpersonatedCredentials would fail when the source_credential was a custom type that did not implement the private _refresh_token method, improving compatibility.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@nbayati nbayati enabled auto-merge (squash) December 9, 2025 19:09
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively resolves a bug in ImpersonatedCredentials by updating the credential refresh mechanism. The change correctly replaces a call to a private method (_refresh_token) with the public refresh method of the source_credentials. This significantly improves the robustness and compatibility of the impersonation flow, especially for custom credential types that may not implement the private _refresh_token method.

google/auth/impersonated_credentials.py
self._source_credentials.token_state == credentials.TokenState.STALE
or self._source_credentials.token_state == credentials.TokenState.INVALID
):
self._source_credentials._refresh_token(request)
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The previous implementation relied on the private _refresh_token method of _source_credentials. This could lead to issues with custom credential types that do not expose this private method, resulting in AttributeError or unexpected behavior. Using the public refresh method, as introduced in this change, ensures adherence to the public API contract and improves compatibility across various credential implementations.

Suggested change
self._source_credentials._refresh_token(request)
self._source_credentials.refresh(request)

@nbayati nbayati merged commit e0c3296 into googleapis:main Dec 9, 2025
12 checks passed
@mfriedy mfriedy mentioned this pull request Dec 9, 2025
Closed
@mikeedjones mikeedjones mentioned this pull request Dec 10, 2025
Closed
@vchudnov-g vchudnov-g mentioned this pull request Dec 13, 2025
Merged
vchudnov-g added a commit that referenced this pull request Dec 15, 2025
@vchudnov-g
chore: librarian release pull request: 20251212T161150Z (#1888)
262eb9e 
PR created by the Librarian CLI to initialize a release. Merging this PR
will auto trigger a release.

Librarian Version: v0.7.0
Language Image:
us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest
<details><summary>google-auth: 2.44.0</summary>

##
[2.44.0](v2.43.0...v2.44.0)
(2025-12-12)

### Features

* MDS connections use mTLS (#1856)
([0387bb9](0387bb95))

* support Python 3.14 (#1822)
([0f7097e](0f7097e7))

* add ecdsa p-384 support (#1872)
([39c381a](39c381a5))

* Add shlex to correctly parse executable commands with spaces (#1855)
([cf6fc3c](cf6fc3cc))

* Implement token revocation in STS client and add revoke() metho…
(#1849)
([d563898](d5638986))

### Bug Fixes

* Add temporary patch to workload cert logic to accomodate Cloud Run
mis-configuration (#1880)
([78de790](78de7907))

* Delegate workload cert and key default lookup to helper function
(#1877)
([b0993c7](b0993c7e))

* Use public refresh method for source credentials in
ImpersonatedCredentials (#1884)
([e0c3296](e0c3296f))

</details>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-sanche daniel-sanche daniel-sanche approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nbayati @daniel-sanche