Remove OAuthAuthenticationMechanism (#2171)

Also made some refactoring to various Auth related classes to clean up things a bit and make the logic less convoluted: 1. In Auth, remove AUTH_API_PUBLIC as it is only used by the WHOIS and EPP endpoints accessed by the proxy. Previously, the proxy relies on OAuth and its service account is not given admin role (in OAuth parlance), so we made them accessible by a public user, deferring authorization to the actions themselves. In practice, OAuth checks for allowlisted client IDs and only the proxy client ID was allowlisted, which effectively limited access to only the proxy anyway. 2. In AuthResult, expose the service account email if it is at APP level. RequestAuthenticator will print out the auth result and therefore log the email, making it easy to identify which account was used. This field is mutually exclusive to the user auth info field. As a result, the factory methods are refactored to explicitly create either APP or USER level auth result. 3. Completely re-wrote RequestAuthenticatorTest. Previously, the test mingled testing functionalities of the target class with testing how various authentication mechanisms work. Now they are cleanly decoupled, and each method in RequestAuthenticator is tested individually. 4. Removed nomulus-config-production-sample.yaml as it is vastly out of date.
2026-01-03 11:45:39 +00:00 · 2023-10-11 19:12:26 -04:00
parent bbdbfe85ed
commit 36bd508bf9
49 changed files with 365 additions and 1098 deletions
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -88,8 +88,7 @@ gSuite:

 For fully-featured production environments that need the full range of features
 (e.g. RDE, correct contact information on the registrar console, etc.) you will
-need to specify more settings. The `nomulus-config-production-sample.yaml` file
-contains an exhaustive list of all settings to override.
+need to specify more settings.

 From a code perspective, all configuration settings ultimately come through the
 [`RegistryConfig`][registry-config] class. This includes a Dagger module called
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@@ -134,16 +134,16 @@ takes a couple of minutes.
 ### Setup Nomulus

 After terraform completes, it outputs some information, among which is the
-client id of the service account created for the proxy. This needs to be added
-to the Nomulus configuration file so that Nomulus accepts traffic from the
+email address of the service account created for the proxy. This needs to be
+added to the Nomulus configuration file so that Nomulus accepts traffic from the
 proxy. Edit the following section in
 `java/google/registry/config/files/nomulus-config-<env>.yaml` and redeploy
 Nomulus:

 ```yaml
-oAuth:
-  allowedOauthClientIds:
-    - <client_id>
+auth:
+  allowedServiceAccountEmails:
+    - <email address>
 ```

 ### Setup nameservers
@@ -304,15 +304,15 @@ $  gcloud iam service-accounts keys create proxy-key.json --iam-account \

 A `proxy-key.json` file will be created inside the current working directory.

-The `client_id` inside the key file needs to be added to the Nomulus
+The service account email address needs to be added to the Nomulus
 configuration file so that Nomulus accepts the OAuth tokens generated for this
 service account. Add its value to
 `java/google/registry/config/files/nomulus-config-<env>.yaml`:

 ```yaml
-oAuth:
-  allowedOauthClientIds:
-    - <client_id>
+auth:
+  allowedServiceAccountEmails:
+    - <email address>
 ```

 Redeploy Nomulus for the change to take effect.