Fall back to gcloud session if application_default_credentials.json is invalid/expired

[andrewhamon]

If ~/.config/gcloud/application_default_credentials.json exists and is invalid, oauth2l will always fail, even if I log in to gcloud using gcloud auth login.

This is quite annoying, since it is quite common for stale ~/.config/gcloud/application_default_credentials.json to be hanging around (i.e. if I ran gcloud auth login --update-adc yesterday, but later logged in today without --update-adc). In my company, application_default_credentials.json that are fetched in this way expire relatively quickly (24 hours or less).

It would be very convenient if oauth2l did some or all of the following:

• fall back to the non-application-default gcloud session if application_default_credentials.json fail
• add a flag to make oauth2l ignore application_default_credentials.json
• change the priority order, so that a gcloud session is preferred over application_default_credentials.json

[andrewhamon]

Somewhat related, on gcloud servers it is not uncommon to be logged in with a personal identity. As far as I know, there is no way to tell oauth2l if it should prefer the current gcloud session, application_default_credentials.json, or the instances service account (all of which could be different identities, in theory).

[andyrzhao]

Hi there, the issue is that that "gcloud auth login" (for logging into gcloud SDK) is completely independent of "gcloud auth application-default login" (for generating ADC for other tools such as oauth2l and terraform etc.) If you'd like oauth2l to work with a non-stale ADC, you will have to run the latter command. FYI, "gcloud auth login" generates credentials in an internal gcloud DB that is inaccessible by other tools - this is somewhat by design. There had been some plans to make oauth2l self-sufficient by introducing an "oauth2l login" command, but that was never implemented.

[andrewhamon]

@andyrzhao ahh, i think i was slightly mistaken in my original report. The alternative to ADC creds wasnt a gcloud session, but rather a GCE instance service account.

We use GCE instances for dev environments. Its not unusual to log into gcloud with a personal account on occasion, but most things use the instances service account.

If there is a stale application_default_credentials.json, it is impossible to use oauth2l without first deleting the stale application_default_credentials.json. This is a bummer, because we want to use the instance service account.