-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
samples: remove browser option from user credentials sample #1147
Conversation
# The `launch_browser` boolean variable indicates if a local server is used | ||
# as the callback URL in the auth flow. A value of `True` is recommended, | ||
# but a local server does not work if accessing the application remotely, | ||
# such as over SSH or from a remote Jupyter notebook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gcloud allows you to complete auth on a remote machine with no browser gcloud auth application-default login --no-browser
, available in >=372.0.0.
This doc has an overview of what the flow looks like. I believe this new flag will take care of the general 'accessing the application remotely case' as long as the user can run gcloud on the target machine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tswast @shollyman Are there cases where a user might not be able to run gcloud
on the machine where the notebook is hosted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tswast @shollyman Are there cases where a user might not be able to run gcloud on the machine where the notebook is hosted?
Oh dear. 😱 I'm not sure about "can't" but this will add significant friction to folks using hosted notebooks on other clouds such as Azure Machine Learning Notebooks or Amazon SageMaker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for bringing this to my attention. I believe I'll need to prioritize pydata/pydata-google-auth#53 and ideally pydata/pydata-google-auth#48 as well due to this auth change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kubeflow notebooks and other self-hosted notebook systems like Jupyter Hub will also have a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Tim, it looked like some other teams working with Notebooks are also trying to figure out how this impacts their users. dujinhui@ is on the team leading the OOB deprecation if you need a point of contact.
Approving, but as discussed separately, much more work needs to be done to have a clean migration path, especially for remote notebook users. |
…is#1147) * samples: remove run_console from user credentials sample * Update samples/snippets/user_credentials.py Co-authored-by: Tim Swast <[email protected]> * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Tim Swast <[email protected]> Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
run_console
uses the OAuth out-of-band flow, which will stop working for new clients on February 28, 2022 and stop working for all clients on October 3, 2022.https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oob