salrashid123 / google_id_token Goto Github PK

Hello @salrashid123, thank you for writing https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b, I found it to be very illuminating for understanding google auth.

I'm not sure if this is the right place to ask a question, but here goes.

The background is I'm writing a python client with google-auth to send an authenticated https request to trigger a GCF. Following your writing, I successfully got everything working with service accounts. The GCF is locked down to the service account like this:

gcloud --project PROJECT_NAME \
  functions add-iam-policy-binding FUNCTION_NAME \
  --member='serviceAccount:foobar@PROJECT_NAME.iam.gserviceaccount.com' \
  --role=roles/cloudfunctions.invoker

However, is it possible to derive an acceptable token from application default credentials which resolve to a user account (gcloud auth application-default login), not a service account?

My understanding is that GCF will only accept OIDC tokens, which can only be derived from service account credentials. User accounts are OAuth2 access tokens which do not work.

For example, curling my GCF with

-H "Authorization: Bearer $(gcloud auth application-default print-access-token)"

Fails with 401 Unauthorized. As opposed to gcloud auth print-identity-token which works because I believe it generates an OIDC token (that corresponds to the default compute engine service account? not sure here)

Thanks for your time.

Side note:

I see that ~/.config/gcloud/application_default_credentials.json doesn't have things like the private key present in SA credential jsons...

https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html#google.oauth2.service_account.IDTokenCredentials

This profile differs from normal OAuth 2.0 profile because no user consent step is required. The use of the private key allows this profile to assert identity directly.

Brielfy skimming the code, the private key would be used in creating the necessary google.auth.credentials.Signing.

I am not sure if you could possibly help me. I have seen you have published lots of token related articles so I am hoping you could give me some hints.

The case is that my code runs on my machine outside of GCP. I read from somewhere that using SA's private key sign a JWT and send it to a Google's token endpoint, it should return an ID token. I then can use it to call apis or cloud functions.

My questions are:

1. What claims should be included in the JWT?
2. Where should the request be sent to?

Thanks.

I have adapted the code on this github to get an identity token, but the critical line of code is jumped over without the least bit of error messaging. I posted the following on stack overflow without response. I am hoping someone here can provide advice for resolution.

The original link: https://stackoverflow.com/questions/62163679/google-cloud-identity-token-oidctoken-getaccesstokenasync-fails-and-without-er

When calling a google oauth library method, it fails without error - no amount of try/catch-ing traps any error messages.

I am trying to get an identity token much as I would if I executed gcloud auth print-identity-token from the command line using the gcloud cli.

The reason for wanting the identity token is that another Cloud Function service requires it as Authorization : Bearer [token], and indeed works correctly when I stuff a manually generated identity token in my code. That is not a suitable solution for development or production.

The code snippet I wrote, cobbled from numerous sources, to procure an identity token is this:

    using (var stream = new FileStream(credentialsFilePath, FileMode.Open, FileAccess.Read))
    {
        var credentials = GoogleCredential.FromStream(stream);
        if (credentials.IsCreateScopedRequired)
        {
            credentials = credentials.CreateScoped(scopes);
        }

        OidcToken oidcToken = await credentials.GetOidcTokenAsync(
               Options
                  .FromTargetAudience(scopes[0])
                  .WithTokenFormat(OidcTokenFormat.Standard));

        // this line bombs immediately, jumping out of this method and the calling method.
        string token = await oidcToken.GetAccessTokenAsync();

        return token;
     }

In the above code, scopes[0] is left over code from a previous attempt which contains the endpoint to Cloud Function service. https://subdomain.cloudfunctions.net/cloud-function/v1/ is the general form of the cloud function endpoint I am calling as a part of a web api.

Is this a valid and reasonable way to get the equivalent of gcloud auth print-identity-token? If so, why the epic failure?

I need to use a google service account for service to service authentication. Development environment is visual studio 2019, .net core 3.1, docker/Linux

PS - the service account has the cloud function's Cloud Functions Invoker role.

for --audience is invalid

gcloud auth print-identity-token --audience=https://.....
ERROR: (gcloud.auth.print-identity-token) unrecognized arguments: --audience=https://.... (did you mean '--audiences'?) 

help lists the following:

    To print identity tokens:

        $ gcloud auth print-identity-token

    To print identity token for account '[email protected]' whose audience is
    'https://service-hash-uc.a.run.app', run:

        $ gcloud auth print-identity-token [email protected] \
            --audiences="https://service-hash-uc.a.run.app"