Add on-demand jwt credentials

[theacodes]

jwt.Credentials only works for a single audience at a time and must have knowledge of the audience beforehand. gRPC APIs, however, may not be able to determine the audience beforehand so JWTs should be generated on-demand during the before_request callback.

We previously had this behavior as part of jwt.Credentials, but it was removed because it made the behavior of the class ambiguous. This feature request is to bring that functionality back as a separate class jwt.OnDemandCredentials.

This class:

• Doesn't accept an audience argument in its constructor.
• Can be created from existing credentials using from_signing_credentials.
• Holds a cache of JWTs for specific audiences using cachetools.LRUCache.
• Generates a new JWT for the specific audience in before_request or uses an existing cached JWT.
• Is always valid and never expires but never has a token.

Context.

@dhermes @lukesneeringer any concerns about the name or dependency on cachetools?
@jboeuf any concerns on the behavior here?

[jboeuf]

@jonparrott That looks about right to me. I assume that the from_signing_credentials class method for this new class would not take an audience parameter just like the constructor. Thanks!

[theacodes]

I assume that the from_signing_credentials class method for this new class would not take an audience parameter just like the constructor.

correct.

@jboeuf is there any external (or internal) documentation you can share with me on this behavior? one of my biggest goals with this library is that it's well-researched and documented with references. Anything helps.

[jboeuf]

Would this work? https://github.com/grpc/grpc/blob/master/doc/load-balancing.md It explains how load balancing works on how the client opens different connections to the balancers and to the backends but is not very specific about the credentials story.

…

On Wed, Mar 22, 2017 at 4:30 PM, Jon Wayne Parrott ***@***.*** > wrote: I assume that the from_signing_credentials class method for this new class would not take an audience parameter just like the constructor. correct. @jboeuf <https://github.com/jboeuf> is there any external (or internal) documentation you can share with me on this behavior? one of my biggest goals with this library is that it's well-researched and documented with references. Anything helps. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#136 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AF-P7QtmpWOcTmdl31KUf6araWvgqMLmks5roa8DgaJpZM4MkwMQ> .

[theacodes]

@jboeuf this helps but i was specifically talking about the auth metadata callback stuff.

[jboeuf]

Ah, OK. This http://www.grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms documents the C++ interface but you have a similar one in python which is not documented here. This issue tracked the python implementation: grpc/grpc#3908

…

On Wed, Mar 22, 2017 at 5:05 PM, Jon Wayne Parrott ***@***.*** > wrote: @jboeuf <https://github.com/jboeuf> this helps but i was specifically talking about the auth metadata callback stuff. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#136 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AF-P7f9Rw8EX-qrZmpCrJyE6U6AXGuE8ks5robdegaJpZM4MkwMQ> .

[theacodes]

Thanks!

…

On Wed, Mar 22, 2017, 10:20 PM jboeuf ***@***.***> wrote: Ah, OK. This http://www.grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms documents the C++ interface but you have a similar one in python which is not documented here. This issue tracked the python implementation: grpc/grpc#3908 On Wed, Mar 22, 2017 at 5:05 PM, Jon Wayne Parrott < ***@***.*** > wrote: > @jboeuf <https://github.com/jboeuf> this helps but i was specifically > talking about the auth metadata callback stuff. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > < #136 (comment) >, > or mute the thread > < https://github.com/notifications/unsubscribe-auth/AF-P7f9Rw8EX-qrZmpCrJyE6U6AXGuE8ks5robdegaJpZM4MkwMQ > > . > — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#136 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAPUc2TnN5_pcB9csMwR0lmw4Ilyv9IHks5rogEagaJpZM4MkwMQ> .