Skip to content

GCP: ClientOptions default_headers (Accept-Encoding) break OAuth token fetch #783

Description

@nkemnitz

Describe the bug

ClientOptions::client() applies user default_headers (src/client/mod.rs:843) and also sets .no_gzip()... (mod.rs:929). The GCP token providers reuse that same client (src/gcp/builder.rs:606-608). So a data-plane Accept-Encoding: gzip header leaks onto the OAuth token POST (src/gcp/credential.rs:613-637, accounts.google.com/o/oauth2/token); Google returns gzip, no_gzip skips decoding, and .json() fails → Error::TokenResponseBody. The client tells the server "send gzip" while telling reqwest "don't decode gzip".

To Reproduce

let mut h = http::HeaderMap::new();
h.insert("accept-encoding", "gzip".parse().unwrap());
let store = GoogleCloudStorageBuilder::from_env()
    .with_bucket_name("my-bucket")
    .with_client_options(ClientOptions::new().with_default_headers(h))
    .build()?;
store.get(&"x".into()).await?; // authorized_user ADC: token fetch fails before the GET

Error: Generic { store: "GCS", source: TokenResponseBody(... "expected value at line 1 column 1") }.
(Accept-Encoding: gzip is legitimate: it makes GCS serve Content-Encoding: gzip objects as raw gzip.)

Expected behavior

Setting default_headers for the data plane should not break authentication.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions