refactor: replace requests with urllib3

CHANGELOG.md

@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Changed
+
+* Drop dependency on `requests` in favor of underlying
+  `urllib3` ([#333](https://github.com/di/id/pull/333))
+
 ## [1.5.0]
 
 ### Changed

id/_internal/oidc/ambient.py

@@ -25,7 +25,7 @@
 import shutil
 import subprocess  # nosec B404
 
-import requests
+import urllib3
 
 from ... import AmbientCredentialError, GitHubOidcPermissionCredentialError
 
@@ -77,22 +77,24 @@ def detect_github(audience: str) -> str | None:
         )
 
     logger.debug("GitHub: requesting OIDC token")
-    resp = requests.get(
-        req_url,
-        params={"audience": audience},
-        headers={"Authorization": f"bearer {req_token}"},
-        timeout=30,
-    )
+
     try:
-        resp.raise_for_status()
-    except requests.HTTPError as http_error:
-        raise AmbientCredentialError(
-            f"GitHub: OIDC token request failed (code={resp.status_code}, "
-            f"body={resp.content.decode()!r})"
-        ) from http_error
-    except requests.Timeout:
+        resp = urllib3.request(
+            "GET",
+            req_url,
+            fields={"audience": audience},
+            headers={"Authorization": f"bearer {req_token}"},
+            timeout=30,
+        )
+    except urllib3.exceptions.MaxRetryError:
         raise AmbientCredentialError("GitHub: OIDC token request timed out")
 
+    if resp.status != 200:
+        raise AmbientCredentialError(
+            f"GitHub: OIDC token request failed (code={resp.status}, "
+            f"body={resp.data.decode()!r})"
+        )
+
     try:
         body = resp.json()
         value = body["value"]
@@ -122,47 +124,50 @@ def detect_gcp(audience: str) -> str | None:
         logger.debug("GCP: GOOGLE_SERVICE_ACCOUNT_NAME set; attempting impersonation")
 
         logger.debug("GCP: requesting access token")
-        resp = requests.get(
-            _GCP_TOKEN_REQUEST_URL,
-            params={"scopes": "https://www.googleapis.com/auth/cloud-platform"},
-            headers={"Metadata-Flavor": "Google"},
-            timeout=30,
-        )
+
         try:
-            resp.raise_for_status()
-        except requests.HTTPError as http_error:
-            raise AmbientCredentialError(
-                f"GCP: access token request failed (code={resp.status_code}, "
-                f"body={resp.content.decode()!r})"
-            ) from http_error
-        except requests.Timeout:
+            resp = urllib3.request(
+                "GET",
+                _GCP_TOKEN_REQUEST_URL,
+                fields={"scopes": "https://www.googleapis.com/auth/cloud-platform"},
+                headers={"Metadata-Flavor": "Google"},
+                timeout=30,
+            )
+        except urllib3.exceptions.MaxRetryError:
             raise AmbientCredentialError("GCP: access token request timed out")
 
+        if resp.status != 200:
+            raise AmbientCredentialError(
+                f"GCP: access token request failed (code={resp.status}, "
+                f"body={resp.data.decode()!r})"
+            )
+
         access_token = resp.json().get("access_token")
 
         if not access_token:
             raise AmbientCredentialError("GCP: access token missing from response")
 
-        resp = requests.post(
-            _GCP_GENERATEIDTOKEN_REQUEST_URL.format(service_account_name),
-            json={"audience": audience, "includeEmail": True},
-            headers={
-                "Authorization": f"Bearer {access_token}",
-            },
-            timeout=30,
-        )
-
         logger.debug("GCP: requesting OIDC token")
+
         try:
-            resp.raise_for_status()
-        except requests.HTTPError as http_error:
-            raise AmbientCredentialError(
-                f"GCP: OIDC token request failed (code={resp.status_code}, "
-                f"body={resp.content.decode()!r})"
-            ) from http_error
-        except requests.Timeout:
+            resp = urllib3.request(
+                "POST",
+                _GCP_GENERATEIDTOKEN_REQUEST_URL.format(service_account_name),
+                json={"audience": audience, "includeEmail": True},
+                headers={
+                    "Authorization": f"Bearer {access_token}",
+                },
+                timeout=30,
+            )
+        except urllib3.exceptions.MaxRetryError:
             raise AmbientCredentialError("GCP: OIDC token request timed out")
 
+        if resp.status != 200:
+            raise AmbientCredentialError(
+                f"GCP: OIDC token request failed (code={resp.status}, "
+                f"body={resp.data.decode()!r})"
+            )
+
         oidc_token: str = resp.json().get("token")
 
         if not oidc_token:
@@ -186,25 +191,26 @@ def detect_gcp(audience: str) -> str | None:
             return None
 
         logger.debug("GCP: requesting OIDC token")
-        resp = requests.get(
-            _GCP_IDENTITY_REQUEST_URL,
-            params={"audience": audience, "format": "full"},
-            headers={"Metadata-Flavor": "Google"},
-            timeout=30,
-        )
 
         try:
-            resp.raise_for_status()
-        except requests.HTTPError as http_error:
-            raise AmbientCredentialError(
-                f"GCP: OIDC token request failed (code={resp.status_code}, "
-                f"body={resp.content.decode()!r})"
-            ) from http_error
-        except requests.Timeout:
+            resp = urllib3.request(
+                "GET",
+                _GCP_IDENTITY_REQUEST_URL,
+                fields={"audience": audience, "format": "full"},
+                headers={"Metadata-Flavor": "Google"},
+                timeout=30,
+            )
+        except urllib3.exceptions.MaxRetryError:
             raise AmbientCredentialError("GCP: OIDC token request timed out")
 
+        if resp.status != 200:
+            raise AmbientCredentialError(
+                f"GCP: OIDC token request failed (code={resp.status}, "
+                f"body={resp.data.decode()!r})"
+            )
+
         logger.debug("GCP: successfully requested OIDC token")
-        return resp.text
+        return resp.data.decode()
 
 
 def detect_buildkite(audience: str) -> str | None:

pyproject.toml

@@ -23,7 +23,7 @@ classifiers = [
   "Topic :: Security",
   "Topic :: Security :: Cryptography",
 ]
-dependencies = ["requests"]
+dependencies = ["urllib3 >= 2, < 3"]
 requires-python = ">=3.8"
 
 [project.urls]
@@ -43,7 +43,6 @@ lint = [
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
   "ruff < 0.8.7",
-  "types-requests",
 ]
 dev = ["build", "bump >= 1.3.2", "id[test,lint]"]