google.auth.default ignores provided scopes when application default credentials are an authorized user.

[ipear3]

Environment details

• OS: macOS Big Sur version 11.4
• Python version: 3.8.2
• pip version: 21.1.3
• google-auth version: 1.33.1

Steps to reproduce

1. Confirm application default credentials are an authorized user (env var GOOGLE_APPLICATION_CREDENTIALS is not set, and gcloud auth application-default login has been run and quota project has been added to ADC)
2. Run the code from the guide "Querying Drive Data"

from google.cloud import bigquery
import google.auth

# Create credentials with Drive & BigQuery API scopes.
# Both APIs must be enabled for your project before running this code.
credentials, project = google.auth.default(
  scopes=[
      "https://www.googleapis.com/auth/drive",
      "https://www.googleapis.com/auth/bigquery",
  ]
)

# Construct a BigQuery client object.
client = bigquery.Client(credentials=credentials, project=project)

3. Inspect the credentials and client variables. Neither will contain the drive scope provided.
   OR
4. Attempt to run a query that references a drive-sourced table and receive the error: google.api_core.exceptions.Forbidden: 403 Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.

The user I am authenticating as has viewer permissions for the sheet in question.

[busunkim96]

Hi,

It looks like you're following the sample on this page.

My guess is that you see a 403 because user credentials technically cannot request additional scopes after creation.

https://github.com/googleapis/google-auth-library-python/blob/ec2fb18e7f0f452fb20e43fd0bfbb788bcf7f46b/google/oauth2/credentials.py#L196-L200

Could you try passing the drive scope when you activate application default credentials?

gcloud auth application-default login --scopes=openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/drive

And to check, if you use a service account are you able to successfully run the code?

[ipear3]

Thank you for educating me, I was able to query drive data using my authorized user after specify the necessary scopes during activation of my application default credentials. I'll answer a couple related Stackoverflow questions so your assistance helps others too.
Also, yes, using a service account I was able to successfully run the code.

Thanks again!

[busunkim96]

@ipear3 That's good to hear!

@tswast I see you've edited that sample most recently, do you think it's worth adding clarification around auth on https://cloud.google.com/bigquery/external-data-drive?

[tswast]

Yes, this is expected behavior for user credentials. It's worth updating the sample.