Skip to content

feat(auth): Add blocking Regional Access Boundary Lookup and Seed Support#16720

Open
macastelaz wants to merge 16 commits intogoogleapis:mainfrom
macastelaz:clean-rab-gcloud
Open

feat(auth): Add blocking Regional Access Boundary Lookup and Seed Support#16720
macastelaz wants to merge 16 commits intogoogleapis:mainfrom
macastelaz:clean-rab-gcloud

Conversation

@macastelaz
Copy link
Copy Markdown

@macastelaz macastelaz commented Apr 20, 2026

In order for the gcloud CLI to support Regional Access Boundary, the Python auth SDK needs to support blocking lookups as well as allowing an initial seed RAB to be provided (gcloud will set this seed if the CLI has a locally cached valid RAB available).

Additional details can be found at go/rab-python-gcloud-one-pager

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request renames the "Trust Boundary" feature to "Regional Access Boundary" (RAB) and introduces a centralized management system for it. Key changes include the implementation of _RegionalAccessBoundaryManager for thread-safe state handling and background refreshes, and the update of multiple credential types to support this new mechanism. The with_trust_boundary method is deprecated in favor of with_regional_access_boundary. Review feedback recommends updating a type hint in the utility module to correctly reflect the expected data types and removing redundant error logging in the base credentials class to reduce log noise.

Comment thread packages/google-auth/google/auth/_regional_access_boundary_utils.py
Comment thread packages/google-auth/google/auth/credentials.py
macastelaz and others added 5 commits April 23, 2026 19:14
@macastelaz
feat(auth): implement blocking lookup flow for regional access boundary
5c3c331
@macastelaz
style(auth): address lint and formatting issues in regional access bo…
c6c140f 
…undary implementation
@macastelaz
fix(auth): restore accidentally removed helper and fix flakiness in s…
b0163b1 
…ystem tests
@macastelaz
Rename method for internal access boundary seeding
17a1c3d 
Renamed 'with_regional_access_boundary' to '_with_regional_access_boundary' to indicate internal use.
@macastelaz
Update credentials.py
78bd7e6 
Update the comment block of "_with_regional_access_boundary" to inform future maintainers of the necessity to maintain a backwards compatible contract of this method.
@macastelaz macastelaz changed the title Blocking Regional Access Boundary Lookup and Seed Support feat(auth): Add blocking Regional Access Boundary Lookup and Seed Support Apr 23, 2026
@macastelaz macastelaz marked this pull request as ready for review April 23, 2026 20:37
@macastelaz macastelaz requested review from a team as code owners April 23, 2026 20:37
nbayati
nbayati reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nbayati nbayati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks really good! Just a few small comments and questions.

Comment thread packages/google-auth/google/auth/credentials.py Outdated
Comment thread packages/google-auth/google/oauth2/credentials.py Outdated
Comment thread packages/google-auth/google/oauth2/credentials.py
Comment thread packages/google-auth/tests/oauth2/test__client.py
Comment thread packages/google-auth/tests/test__regional_access_boundary_utils.py
Comment thread packages/google-auth/google/auth/credentials.py
@macastelaz
test(auth): address RAB feedback with robust coverage and docs
a70c23f 
- Add test for token refresh and RAB lookup sequencing in before_request.
- Add failure test to verify blocking RAB lookups are not retried.
- Restore and refine test for skipping RAB lookup when URL is None.
- Fix swapped url/method arguments in before_request test calls.
- Document why OAuth2 credentials skip independent RAB lookups.
- Internalize blocking lookup method with leading underscore.
@macastelaz
style(auth): fix black formatting and typo
bf41e71
@macastelaz
test(auth): fix flaky assertion in test_external_accounts.py
4e2bc63
nbayati
nbayati reviewed Apr 24, 2026
View reviewed changes
Comment thread packages/google-auth/tests/test__regional_access_boundary_utils.py
nbayati
nbayati approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nbayati nbayati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

@ohmayr ohmayr added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nbayati nbayati nbayati approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@daniel-sanche daniel-sanche

@ohmayr ohmayr

@nbayati nbayati

Labels

do not merge Indicates a pull request not ready for merge, due to either quality or timing.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@macastelaz @nbayati @daniel-sanche @ohmayr