Skip to content

fix(auth): prefer fido2 for reauth fallback#17391

Open
goutamadwant wants to merge 9 commits into
googleapis:mainfrom
goutamadwant:fix-google-auth-reauth-pyu2f
Open

fix(auth): prefer fido2 for reauth fallback#17391
goutamadwant wants to merge 9 commits into
googleapis:mainfrom
goutamadwant:fix-google-auth-reauth-pyu2f

Conversation

@goutamadwant

@goutamadwant goutamadwant commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Uses fido2 as the preferred security-key fallback for google-auth reauth, while keeping the WebAuthn handler path first.

For compatibility, the old pyu2f path is still available when fido2 is not installed and pyu2f is already present. That path now emits a DeprecationWarning.

The google-auth[reauth] extra installs fido2, so new installs do not pull in deprecated pyu2f.

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #17381

@goutamadwant goutamadwant requested review from a team as code owners June 8, 2026 06:40
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 8, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces the pyu2f dependency with fido2 for security key reauthentication, updating the challenge implementation, credentials documentation, setup dependencies, and associated tests. Feedback from the review highlights that fido2 version 2.0.0 does not exist on PyPI, so the dependency range in setup.py should target 1.x instead. Additionally, it is recommended to handle potential OSError exceptions when listing devices or communicating with the security key to prevent unexpected crashes and improve error handling.

Comment thread packages/google-auth/setup.py
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
@goutamadwant goutamadwant mentioned this pull request Jun 8, 2026
Open
1 task
parthea
parthea reviewed Jun 8, 2026
View reviewed changes
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jun 8, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jun 8, 2026
@parthea parthea marked this pull request as draft June 8, 2026 16:22
@goutamadwant goutamadwant changed the title fix(auth): replace pyu2f reauth fallback with fido2 fix(auth): prefer fido2 for reauth fallback Jun 9, 2026
@goutamadwant

goutamadwant commented Jun 9, 2026

Copy link
Copy Markdown
Author

Thanks for checking @parthea updated this PR to keep the transition safer.

The flow is now WebAuthn first, then fido2, then pyu2f only if fido2 is not installed and pyu2f is already present. The pyu2f path emits a DeprecationWarning and google-auth[reauth] still installs fido2 so new installs do not pull in pyu2f.

aslo added docstrings and type hints for the new helpers, plus coverage for the fido2 to pyu2f fallback path.

let me know if this looks good now or do you have any suggestions

@parthea parthea marked this pull request as ready for review June 9, 2026 16:52
@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jun 9, 2026
@parthea parthea assigned parthea and unassigned goutamadwant Jun 9, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jun 9, 2026
parthea
parthea reviewed Jun 9, 2026
View reviewed changes

@parthea parthea left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once checks pass.

google/oauth2/challenges.py:143: error: Cannot find implementation or library stub for module named "fido2.ctap1"  [import-not-found]
google/oauth2/challenges.py:143: note: See https://mypy.readthedocs.io/en/stable/running_mypy.html#missing-imports
google/oauth2/challenges.py:253: error: Missing return statement  [return]
tests/oauth2/test_challenges.py:58: error: Need type annotation for "devices" (hint: "devices: list[<type>] = ...")  [var-annotated]
tests/oauth2/test_challenges.py:66: error: Need type annotation for "calls" (hint: "calls: list[<type>] = ...")  [var-annotated]
tests/oauth2/test_challenges.py:67: error: Need type annotation for "side_effects" (hint: "side_effects: list[<type>] = ...")  [var-annotated]
tests/oauth2/test_challenges.py:103: error: Need type annotation for "origins" (hint: "origins: list[<type>] = ...")  [var-annotated]
tests/oauth2/test_challenges.py:104: error: Need type annotation for "calls" (hint: "calls: list[<type>] = ...")  [var-annotated]
tests/oauth2/test_challenges.py:105: error: Need type annotation for "side_effects" (hint: "side_effects: list[<type>] = ...")  [var-annotated]
Found 8 errors in 2 files (checked 164 source files)

Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
@parthea parthea assigned goutamadwant and unassigned parthea Jun 9, 2026
@parthea parthea marked this pull request as draft June 9, 2026 17:16
@goutamadwant

goutamadwant commented Jun 10, 2026

Copy link
Copy Markdown
Author

Thanks for your comments @parthea

Changes made as below :

  • fixed the mypy failures
  • added type hints and docstrings for the new helpers
  • changed the caught_exc formatting to f strings
  • moved the per device fido2 auth handling into _authenticate_device to keep _obtain_challenge_input_fido2 easier to follow

Let me know if it looks good now or you have any suggestions. thanks.

@parthea parthea marked this pull request as ready for review June 10, 2026 15:47
@parthea parthea assigned parthea and unassigned goutamadwant Jun 10, 2026
@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jun 10, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jun 10, 2026
parthea
parthea reviewed Jun 10, 2026
View reviewed changes

@parthea parthea left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of:

sys.stderr.write("No security key found.\n")
return None

We should do this:

raise exceptions.ReauthFailError("No security key found.")

This can also be done as a follow up

Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
@parthea parthea removed their assignment Jun 10, 2026
daniel-sanche
daniel-sanche reviewed Jun 10, 2026
View reviewed changes
Comment thread packages/google-auth/google/oauth2/challenges.py Outdated
except self._SecurityKeyTimeout:
return None

sys.stderr.write("Ineligible security key.\n")

@daniel-sanche daniel-sanche Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to use stderr.write here? IIRC, other parts of the library uses logging

@goutamadwant goutamadwant Jun 11, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @daniel-sanche.. I kept stderr here because this challenge flow already uses it for interactive prompts, and the legacy pyu2f path also writes user facing challenge messages there.
but based on @parthea comment.. I changed the terminal fido2 failures to raise ReauthFailError instead of writing to stderr.
I kept stderr only for the interactive prompts since this challenge flow already uses stderr for user prompts like asking the user to touch the key.
updated the fido2 tests for all these cases. Let me know if you have any other suggestions!

@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jun 11, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jun 11, 2026
parthea
parthea approved these changes Jun 11, 2026
View reviewed changes

@parthea parthea left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @goutamadwant!

@parthea parthea enabled auto-merge (squash) June 11, 2026 14:32
@parthea parthea requested a review from daniel-sanche June 11, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthea parthea parthea approved these changes

@chalmerlowe chalmerlowe Awaiting requested review from chalmerlowe

@ohmayr ohmayr Awaiting requested review from ohmayr

@daniel-sanche daniel-sanche Awaiting requested review from daniel-sanche

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@daniel-sanche daniel-sanche

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

google-auth: reauth: uses deprecated u2f module

4 participants

@goutamadwant @daniel-sanche @parthea @yoshi-kokoro