Skip to content

fix: disable RAB lookup for Domain-Wide Delegation#17763

Open
nbayati wants to merge 1 commit into
googleapis:mainfrom
nbayati:skip-rab-dwd
Open

fix: disable RAB lookup for Domain-Wide Delegation#17763
nbayati wants to merge 1 commit into
googleapis:mainfrom
nbayati:skip-rab-dwd

Conversation

@nbayati

@nbayati nbayati commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Updates credentials classes to skip building the Regional Access Boundary lookup URL when Domain-Wide Delegation (DWD) is active, as RAB does not apply to Workspace User Accounts via DWD.

Fixes #17703

Updates credentials classes to  skip building the Regional Access Boundary lookup URL when Domain-Wide Delegation (DWD) is active, as RAB does not apply to Workspace User Accounts via DWD.
@nbayati
nbayati requested review from a team as code owners July 17, 2026 07:35

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to bypass Regional Access Boundary (RAB) lookup when a subject is populated for Domain-wide Delegation across several credential classes. However, the reviewer pointed out that ImpersonatedCredentials does not support Domain-Wide Delegation or possess a _subject attribute, which will result in a runtime AttributeError. Consequently, the check in impersonated_credentials.py and its corresponding unit test should be removed.

Comment on lines +367 to +370
if self._subject:
# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Accessing self._subject on ImpersonatedCredentials will raise an AttributeError at runtime because _subject is not an attribute of this class. Furthermore, Domain-Wide Delegation (DWD) is not supported or applicable for impersonated credentials, so this check is unnecessary and should be removed.

Comment on lines +762 to +765
def test_build_regional_access_boundary_lookup_url_with_subject(self):
credentials = self.make_credentials(subject="user@example.com")
assert credentials._build_regional_access_boundary_lookup_url() is None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since ImpersonatedCredentials does not support Domain-Wide Delegation or have a _subject attribute, this test is testing an invalid scenario and should be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth: RAB lookup should be skipped in DwD flows

1 participant