[DRAFT] feat(auth): allow single-string scopes for google.auth.default

packages/google-auth/google/auth/_default.py

@@ -22,7 +22,7 @@
 import json
 import logging
 import os
-from typing import Optional, Sequence, TYPE_CHECKING
+from typing import Optional, Sequence, TYPE_CHECKING, Union
 import warnings
 
 from google.auth import environment_vars
@@ -591,7 +591,7 @@ def _apply_quota_project_id(credentials, quota_project_id):
 
 
 def default(
-    scopes: Optional[Sequence[str]] = None,
+    scopes: Optional[Union[Sequence[str], str]] = None,
     request: Optional["google.auth.transport.Request"] = None,
     quota_project_id: Optional[str] = None,
     default_scopes: Optional[Sequence[str]] = None,
@@ -666,7 +666,7 @@ def default(
         credentials, project_id = google.auth.default()
 
     Args:
-        scopes (Sequence[str]): The list of scopes for the credentials. If
+        scopes (Optional[Union[Sequence[str], str]]): The list of scopes for the credentials. If
             specified, the credentials will automatically be scoped if
             necessary.
         request (Optional[google.auth.transport.Request]): An object used to make

packages/google-auth/google/auth/app_engine.py

@@ -95,11 +95,11 @@ def __init__(
     ):
         """
         Args:
-            scopes (Sequence[str]): Scopes to request from the App Identity
+            scopes (Optional[Sequence[str]]): Scopes to request from the App Identity
                 API.
-            default_scopes (Sequence[str]): Default scopes passed by a
+            default_scopes (Optional[Sequence[str]]): Default scopes passed by a
                 Google client library. Use 'scopes' for user-defined scopes.
-            service_account_id (str): The service account ID passed into
+            service_account_id (Optional[str]): The service account ID passed into
                 :func:`google.appengine.api.app_identity.get_access_token`.
                 If not specified, the default application service account
                 ID will be used.

packages/google-auth/google/auth/credentials.py

@@ -16,14 +16,14 @@
 """Interfaces for credentials."""
 
 import abc
+import datetime
 from enum import Enum
 import logging
 import os
-from typing import Dict, List, Optional, TYPE_CHECKING
+from typing import Dict, List, Optional, Sequence, TYPE_CHECKING, Union
 from urllib.parse import urlparse
 import warnings
 
-
 from google.auth import _helpers, environment_vars
 from google.auth import _regional_access_boundary_utils
 from google.auth import exceptions
@@ -66,16 +66,16 @@ class Credentials(_BaseCredentials):
     def __init__(self):
         super(Credentials, self).__init__()
 
-        self.expiry = None
+        self.expiry: Optional[datetime.datetime] = None
         """Optional[datetime]: When the token expires and is no longer valid.
         If this is None, the token is assumed to never expire."""
-        self._quota_project_id = None
+        self._quota_project_id: Optional[str] = None
         """Optional[str]: Project to use for quota and billing purposes."""
-        self._trust_boundary = None
+        self._trust_boundary: Optional[dict] = None
         """Optional[dict]: Cache of a trust boundary response which has a list
         of allowed regions and an encoded string representation of credentials
         trust boundary."""
-        self._universe_domain = DEFAULT_UNIVERSE_DOMAIN
+        self._universe_domain: Optional[str] = DEFAULT_UNIVERSE_DOMAIN
         """Optional[str]: The universe domain value, default is googleapis.com
         """
 
@@ -617,12 +617,18 @@ class Scoped(ReadOnlyScoped):
     """
 
     @abc.abstractmethod
-    def with_scopes(self, scopes, default_scopes=None):
+    def with_scopes(
+        self,
+        scopes: Optional[Sequence[str]],
+        default_scopes: Optional[Sequence[str]] = None,
+    ):
         """Create a copy of these credentials with the specified scopes.
 
         Args:
-            scopes (Sequence[str]): The list of scopes to attach to the
+            scopes (Optional[Sequence[str]]): The list of scopes to attach to the
                 current credentials.
+        default_scopes (Optional[Sequence[str]]): Default scopes passed by a
+            Google client library. Use 'scopes' for user-defined scopes.
 
         Raises:
             NotImplementedError: If the credentials' scopes can not be changed.
@@ -632,7 +638,11 @@ def with_scopes(self, scopes, default_scopes=None):
         raise NotImplementedError("This class does not require scoping.")
 
 
-def with_scopes_if_required(credentials, scopes, default_scopes=None):
+def with_scopes_if_required(
+    credentials,
+    scopes: Optional[Union[str, Sequence[str]]],
+    default_scopes: Optional[Sequence[str]] = None,
+):
     """Creates a copy of the credentials with scopes if scoping is required.
 
     This helper function is useful when you do not know (or care to know) the
@@ -645,17 +655,21 @@ def with_scopes_if_required(credentials, scopes, default_scopes=None):
     Args:
         credentials (google.auth.credentials.Credentials): The credentials to
             scope if necessary.
-        scopes (Sequence[str]): The list of scopes to use.
-        default_scopes (Sequence[str]): Default scopes passed by a
+        scopes (Optional[Union[str, Sequence[str]]]): The list of scopes to use.
+        default_scopes (Optional[Sequence[str]]): Default scopes passed by a
             Google client library. Use 'scopes' for user-defined scopes.
 
     Returns:
         google.auth.credentials.Credentials: Either a new set of scoped
             credentials, or the passed in credentials instance if no scoping
             was required.
     """
+    # wrap single-string scopes in a list
+    scopes_seq: Optional[Sequence[str]] = (
+        [scopes] if isinstance(scopes, str) else scopes
+    )
     if isinstance(credentials, Scoped) and credentials.requires_scopes:
-        return credentials.with_scopes(scopes, default_scopes=default_scopes)
+        return credentials.with_scopes(scopes_seq, default_scopes=default_scopes)
     else:
         return credentials
 

packages/google-auth/google/auth/crypt/rsa.py

@@ -16,7 +16,7 @@
 RSA cryptography signer and verifier.
 
 This file provides a shared wrapper, that defers to _python_rsa or _cryptography_rsa
-for implmentations using different third party libraries
+for implementations using different third party libraries
 """
 
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey

packages/google-auth/google/auth/transport/_mtls_helper.py

@@ -50,7 +50,7 @@
     b"-----BEGIN PASSPHRASE-----(.+)-----END PASSPHRASE-----", re.DOTALL
 )
 
-# Temporary patch to accomodate incorrect cert config in Cloud Run prod environment.
+# Temporary patch to accommodate incorrect cert config in Cloud Run prod environment.
 _WELL_KNOWN_CLOUD_RUN_CERT_PATH = (
     "/var/run/secrets/workload-spiffe-credentials/certificates.pem"
 )