Skip to content

gcp_authn: fix bound token requests#45838

Merged
tyxia merged 2 commits into
envoyproxy:mainfrom
antoniovleonti:fix-gcp-authn-fingerprint
Jun 26, 2026
Merged

gcp_authn: fix bound token requests#45838
tyxia merged 2 commits into
envoyproxy:mainfrom
antoniovleonti:fix-gcp-authn-fingerprint

Conversation

@antoniovleonti

@antoniovleonti antoniovleonti commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Commit Message: gcp_authn: fix bound token requests
Additional Description:

The gcp_authn filter was passing along the fingerprint incorrectly in bound token requests:

  • The fingerprint query parameter key should be bindCertificateFingerprint.
  • The fingerprint query parameter value should be base-64 encoded, then double url encoded.

This is exactly how the official Google python auth library structures its requests for bound tokens.

Risk Level: low
Testing: tests updated
Docs Changes: none
Release Notes: none

@antoniovleonti
gcp_authn: fix bound token requests
a440ea2 
Signed-off-by: antoniovleonti <leonti@google.com>
@tyxia

tyxia commented Jun 25, 2026

Copy link
Copy Markdown
Member

/gemini review

@tyxia tyxia self-assigned this Jun 25, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 25, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the GCP authentication client to use the bindCertificateFingerprint query parameter instead of client_certificate_sha256, and double URL-encodes the fingerprint value to meet the GCP metadata server's requirements. Corresponding unit and integration tests have been updated to reflect these changes. The reviewer suggests adding explanatory comments to the double URL-encoding logic to prevent future maintainers from mistakenly simplifying it.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread source/extensions/filters/http/gcp_authn/gcp_authn_client_impl.cc Outdated
Comment thread source/extensions/filters/http/gcp_authn/gcp_authn_client_impl.cc Outdated
@antoniovleonti
add comment and elide local variable
352ca1e 
Signed-off-by: antoniovleonti <leonti@google.com>
tyxia
tyxia approved these changes Jun 26, 2026
View reviewed changes

@tyxia tyxia left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@tyxia tyxia merged commit 0ec57be into envoyproxy:main Jun 26, 2026
28 checks passed
@antoniovleonti antoniovleonti deleted the fix-gcp-authn-fingerprint branch June 26, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tyxia tyxia tyxia approved these changes
@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner
+1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

@tyxia tyxia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antoniovleonti @tyxia