Skip to content

feat(auth): add Application Default Credentials (ADC) auth mode#357

Merged
steipete merged 4 commits intoopenclaw:mainfrom
tengis617:feat/adc-workload-identity
Mar 8, 2026
Merged

feat(auth): add Application Default Credentials (ADC) auth mode#357
steipete merged 4 commits intoopenclaw:mainfrom
tengis617:feat/adc-workload-identity

Conversation

@tengis617
Copy link
Copy Markdown
Contributor

@tengis617 tengis617 commented Feb 23, 2026

Summary

  • Adds a new GOG_AUTH_MODE=adc environment variable that switches the CLI to use Application Default Credentials instead of the keyring-based OAuth flow
  • Enables gogcli to run in cloud environments (GKE Workload Identity, Cloud Run, compute engine) or locally via gcloud auth application-default login — no OAuth client credentials or keyring needed
  • In ADC mode, --account / GOG_ACCOUNT is optional (defaults to "adc" label); the service account accesses only resources explicitly shared with it

Changes

  • internal/googleapi/client.goIsADCMode() helper; optionsForAccountScopes short-circuits to google.DefaultTokenSource when ADC is active, skipping keyring/OAuth entirely. newADCTokenSource package-var follows existing testability pattern.
  • internal/cmd/account.gorequireAccount returns early in ADC mode so no email or keyring lookup is required.
  • internal/googleapi/client_more_test.go — Tests for IsADCMode (3 cases) and the full optionsForAccountScopes ADC path, asserting that keyring and client credentials are never touched.

Test plan

  • TestIsADCMode — empty, "adc", and "oauth" values
  • TestOptionsForAccountScopes_ADCMode — verifies ADC token source is called with correct scopes and keyring/credentials helpers are not invoked
  • make fmt passes
  • make test passes for ./internal/googleapi/

Note: CI will fail due to a pre-existing build error on main (contacts_crud.go type mismatches — bool vs string). This is tracked by #333 and is unrelated to this PR.

🤖 Generated with Claude Code

@tengis617 tengis617 mentioned this pull request Feb 23, 2026
Closed
tengis617 and others added 4 commits March 8, 2026 17:13
@tengis617 @claude @steipete
feat: add Application Default Credentials (ADC) auth mode
e86e2f5 
When GOG_AUTH_MODE=adc, the CLI authenticates using ambient credentials
(GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC)
instead of the keyring-based OAuth flow. This enables use in environments
like GKE pods where the service account accesses resources explicitly
shared with it — no domain-wide delegation or user impersonation needed.

The account email is no longer required in ADC mode; requireAccount()
returns "adc" as a placeholder when no --account/GOG_ACCOUNT is set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@steipete
feat(auth): add ADC mode (openclaw#357) (thanks @tengis617)
96a084a
@steipete
fix(auth): satisfy ADC lint on landed branch (openclaw#357)
0b31ab8
@steipete
test(auth): fix ADC test whitespace lint (openclaw#357)
0545735
@steipete steipete force-pushed the feat/adc-workload-identity branch from 39b77da to 0545735 Compare March 8, 2026 17:18
@steipete steipete merged commit 45c272f into openclaw:main Mar 8, 2026
2 of 5 checks passed
@steipete
Copy link
Copy Markdown
Collaborator

steipete commented Mar 8, 2026

Landed after manual rebase/conflict resolution onto main.

  • Gate: go test ./internal/googleapi ./internal/cmd -run 'Test(IsADCMode|OptionsForAccountScopes_ADCMode)' -count=1; make ci
  • Land commit: 0545735
  • Merge commit: 45c272f

Thanks @tengis617!

klodr pushed a commit to klodr/gogcli that referenced this pull request Apr 22, 2026
@tengis617 @claude @steipete
feat(auth): add Application Default Credentials (ADC) auth mode (open…
6a01e8a 
…claw#357)

* feat: add Application Default Credentials (ADC) auth mode

When GOG_AUTH_MODE=adc, the CLI authenticates using ambient credentials
(GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC)
instead of the keyring-based OAuth flow. This enables use in environments
like GKE pods where the service account accesses resources explicitly
shared with it — no domain-wide delegation or user impersonation needed.

The account email is no longer required in ADC mode; requireAccount()
returns "adc" as a placeholder when no --account/GOG_ACCOUNT is set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(auth): add ADC mode (openclaw#357) (thanks @tengis617)

* fix(auth): satisfy ADC lint on landed branch (openclaw#357)

* test(auth): fix ADC test whitespace lint (openclaw#357)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tengis617 @steipete