adding an iss field to IAM tokens (#172)

nytimes · Dec 27, 2018 · 3fb7c2f · 3fb7c2f
1 parent c66e686
commit 3fb7c2f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/auth/gcp/iam.go b/auth/gcp/iam.go
@@ -317,6 +317,7 @@ func (s iamTokenSource) newIAMToken(ctx context.Context, svc *iam.Service) (stri
 	exp := iss.Add(defaultTokenTTL)
 	payload, err := json.Marshal(IAMClaimSet{
 		ClaimSet: jws.ClaimSet{
+			Iss: Issuer,
 			Aud: s.cfg.Audience,
 			Exp: exp.Unix(),
 			Iat: iss.Unix(),

diff --git a/auth/gcp/identity.go b/auth/gcp/identity.go
@@ -162,10 +162,13 @@ func IdentityVerifyFunc(vf func(ctx context.Context, cs IdentityClaimSet) bool)
 
 // Issuers contains the known Google account issuers for identity tokens.
 var Issuers = map[string]bool{
-	"accounts.google.com":         true,
-	"https://accounts.google.com": true,
+	"accounts.google.com": true,
+	Issuer:                true,
 }
 
+// Issuer is the string that will be used for the "iss" field in tokens.
+const Issuer = "https://accounts.google.com"
+
 // ValidIdentityClaims ensures the token audience and issuers match expectations.
 func ValidIdentityClaims(cs IdentityClaimSet, audience string) bool {
 	if cs.Aud != audience {