Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty or missing scope not allowed with GOOGLE_APPLICATION_CREDENTIALS #217

Closed
jlewi opened this issue Nov 14, 2017 · 3 comments
Closed

Empty or missing scope not allowed with GOOGLE_APPLICATION_CREDENTIALS #217

jlewi opened this issue Nov 14, 2017 · 3 comments
Assignees
@theacodes
Labels
🚨 This issue needs some love. triage me I really want to be triaged.

Comments

@jlewi
Copy link

jlewi commented Nov 14, 2017
edited
Loading

I'm using a service account and setting the environment variable GOOGLE_APPLICATION_CREDENTIALS and getting an error complaining about missing scope.

Here's some simple code to reproduce it.

import google.auth
import google.auth.transport
import google.auth.transport.requests
import os
print(os.getenv("GOOGLE_APPLICATION_CREDENTIALS", ""))
credentials, project_id = google.auth.default()
request = google.auth.transport.requests.Request()
credentials.refresh(request)

This throws an exception

Traceback (most recent call last):
  File "credentials_repo.py", line 9, in <module>
    credentials.refresh(request)
  File "/usr/local/lib/python2.7/dist-packages/google/oauth2/service_account.py", line 322, in refresh
    request, self._token_uri, assertion)
  File "/usr/local/lib/python2.7/dist-packages/google/oauth2/_client.py", line 144, in jwt_grant
    response_data = _token_endpoint_request(request, token_uri, body)
  File "/usr/local/lib/python2.7/dist-packages/google/oauth2/_client.py", line 110, in _token_endpoint_request
    _handle_error_response(response_body)
  File "/usr/local/lib/python2.7/dist-packages/google/oauth2/_client.py", line 60, in _handle_error_response
    error_details, response_body)
google.auth.exceptions.RefreshError: ('invalid_scope: Empty or missing scope not allowed.', u'{\n  "error" : "invalid_scope",\n  "error_description" : "Empty or missing scope not allowed."\n}')

Do scopes need to be explicitly set when using service accounts?

I'm using google-auth 1.2.1

pip freeze | grep google-auth
google-auth==1.2.1
google-auth-httplib2==0.0.2
@dhermes
Copy link
Contributor

dhermes commented Nov 14, 2017

@jlewi Yes. That error message is directly from the server.

@jonparrott WDYT about failing the request locally rather than relying on the backend?

@jlewi jlewi mentioned this issue Nov 14, 2017
Closed
@jlewi
Copy link
Author

jlewi commented Nov 14, 2017

Thanks @dhermes . I'll leave this issue open since there's a question pending for @jonparrott but my question has been addressed.

@theacodes
Copy link
Contributor

WDYT about failing the request locally rather than relying on the backend?

I would rather not have that logic on the client side, as it's not strictly required. It's possible for an authorization server to grant a token without scopes.

@rabernat rabernat mentioned this issue Feb 27, 2018
Closed
@yoshi-automation yoshi-automation added 🚨 This issue needs some love. triage me I really want to be triaged. labels Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theacodes theacodes

Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@theacodes @dhermes @jlewi @yoshi-automation