[Q] How do I authenticate through google-cloud-cpp, when gcloud isn't installed?

[SamuelMarks]

I found this guide from your old [2 years since deprecation] library: https://google.github.io/google-api-cpp-client/latest/guide/oauth2.html

Is there a builtin way of doing those authentication flows within google-cloud-cpp, or should I use a generic OAuth2 C/C++ library?

Thanks

[coryan]

TL;DR; I think you need to use a generic OAuth2 C/C++ library. See #1718 for the existing feature request. There is a larger project to review all our authentication support, this is being considered for that project. I am not promising that it will be part of it.

In case I misunderstood: you have a C++ application (probably a service), you want to perform some actions on behalf of a user, to do so you would need to get a refresh token from that grants your application persistent permissions to perform these actions. Typically that implies some workflow where the user is shown what permissions you are asking for, the user accepts, a refresh token is created, and your application receives the token (maybe asynchronously, maybe cut&pasted by the user). That is what #1718 is about.

[SamuelMarks]

Thanks yep that's the one. Okay I'll use a generic one for now.

Yeah I'm trying to expose the whole flow to the user, all the way up to them creating a Google Cloud account and all the way down to using a stored refresh token to refresh an expired access token.

PS: Have you thought of just taking the old google-api-cpp-client code and including the relevant bits here? - Or are the two APIs too divergent?

[coryan]

PS: Have you thought of just taking the old google-api-cpp-client code and including the relevant bits here? - Or are the two APIs too divergent?

Thought about it? Yes. A super-detailed analysis? No.

Last time we looked at this: the platform support had diverged, the compiler support had diverged, the choice of dependencies, the support for gRPC, the implementation details were all different enough that whatever code we managed to rescue would be smaller than the code we would need to rewrite (roughly, obviously we did not count line by line).

[SamuelMarks]

@coryan Okay so I did a search on GitHub, ended up using this Linux only one—with no dependencies other than OpenSSL—some academic wrote for his students (for a course): https://github.com/tommccallum/oauth2

…then I extended it, switched to CMake, optimised internal data-structures, and added support for both macOS and Windows. With error-handling, this MIT licensed work is only 45 lines: https://github.com/SamuelMarks/oauth2/blob/google-auth/cpp/src/main_google.cpp#L16-L61

🎉

I can extend it to remove the strict OpenSSL dependencies to use the Windows SSL libraries (STunnel &etc.) on Windows, and package the whole thing up into an external library. Or some other such runaround. Trying to make it useful to other…

Or hey, is this the kind of thing I could send you guys a PR with?

[coryan]

That looks very useful.

Or hey, is this the kind of thing I could send you guys a PR with?

That seems difficult. For one thing, while the code is MIT licensed, it is not yours, and you would need to sign the CLA before we could accept a PR:

https://cla.developers.google.com/about/google-corporate

while I am not a lawyer, I suspect you cannot grant us (Google) the rights the CLA requires for code that you did not write.

There are also some technical things to figure out. The code seems useful for command-line applications, but we need to consider servers too. What if an application is running as a Cloud Run or GKE application (serving web pages). How would the workflow work in that case? At the very least we should have an answer, such as "this would never work for Cloud Run, use this other library instead".

I can extend it to remove the strict OpenSSL dependencies to use the Windows SSL libraries (STunnel &etc.) on Windows, and package the whole thing up into an external library. Or some other such runaround. Trying to make it useful to other…

I think it would be very useful for the C++ community if you modernized these library, improved its testing practices, etc. We need libraries like this. As it is, given its copyright history and technical limitations, I think google-cloud-cpp is not the right place for it.

Sorry to be the carrier of bad news.

[ghost]

Clause 7 seems to be relevant:

Should You wish to submit work that is not Your original creation, You may submit it to Google separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".

Though I'm not sure if you need permission of the original copyright holder.

[SamuelMarks]

I've been on LinkedIn contact with the original author, and he's merging my contributions. Maybe I'll just ask him to sign what you guys want?

(oh and all those tests will need to be translated, I'm thinking to use CTest and translate all to that level)

Oh also I'm slightly tempted to rewrite the whole library in C, so as to facilitate more use-cases. The rewrite is only one development day away IMHO…

In terms of auth flow you could return the authorization_url somewhere—e.g., in a publicly exposed API following gRPC or REST semantics—instead of the open_browser(authorization_url); line. For other flows they should be straightforward to add.

But yeah I think a C rewrite would be conducive to embedding this library, and depending upon it (even if it was added to your master tree). Not to mention overcoming any licensing issues! [I think… IANAL]

Thoughts?

[SamuelMarks]

FYI: I rewrote the auth flow in C (C89) in a cross-platform way (macOS, Windows, Linux).

Followed https://developers.google.com/identity/protocols/oauth2/native-app