docs: add warning against accepting untrusted credentials #598
Conversation
| * external source for authentication to Google Cloud Platform, you must validate it before | ||
| * providing it to any Google API or library. Providing an unvalidated credential configuration to | ||
| * Google APIs can compromise the security of your systems and data. For more information | ||
| * {@see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials} |
There was a problem hiding this comment.
can you put the warning as part of the method that loads any json/file/stream and builds an appropriate cred for it.
See https://github.com/googleapis/google-auth-library-python/pull/1655/files as an example
There was a problem hiding this comment.
The only issue there is that we would need to add it to ApplicationDefaultCredentials::getCredentials, ApplicationDefaultCredentials::getMiddleware, ApplicationDefaultCredentials::getIdTokenCredentials, ApplicationDefaultCredentials::getIdTokenMiddleware, and ApplicationDefaultCredentials::getIdTokenProxyCredentials. I can do it, but it just seems a bit over-verbose. Since it applies to essentially every method in the class, it makes more sense to me to add it at the top of the class.
There was a problem hiding this comment.
Actually .Net has similar case. looks ok to update everywhere googleapis/google-api-dotnet-client#2916
sai-sunder-s
added
the
do not merge
No description provided.