Provide separate scopes list for delegated credentials

Scope changes in delegated credentials require coordinated external changes, therefore should be separate from those used in the application default credential. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=212488389
2025-06-27 23:03:34 +02:00 · 2018-09-11 11:28:13 -07:00 · 2018-09-11 11:28:13 -07:00 · dbb1f1649d
commit dbb1f1649d
parent 5c1d9bd5c3
4 changed files with 31 additions and 10 deletions
--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@ -177,17 +177,27 @@ oAuth:
  allowedOauthClientIds: []

 credentialOAuth:
-  # OAuth scopes required for accessing Google APIs.
-  credentialOauthScopes:
+  # OAuth scopes required for accessing Google APIs using the default
+  # credential.
+  defaultCredentialOauthScopes:
    # View and manage data in all Google Cloud APIs.
    - https://www.googleapis.com/auth/cloud-platform
    # View and manage files in Google Drive.
    - https://www.googleapis.com/auth/drive
+  # OAuth scopes required for delegated admin access to G Suite domain.
+  # Deployment of changes to this list must be coordinated with G Suite admin
+  # configuration, which can be managed in the admin console:
+  # - New scopes must be added to the G Suite domain configuration before the
+  #   release is deployed.
+  # - Removed scopes must remain on G Suite domain configuration until the
+  #   release is deployed.
+  delegatedCredentialOauthScopes:
    # View and manage groups on your domain in Directory API.
    - https://www.googleapis.com/auth/admin.directory.group
    # View and manage group settings in Group Settings API.
    - https://www.googleapis.com/auth/apps.groups.settings

+
 icannReporting:
  # URL we PUT monthly ICANN transactions reports to.
  icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions