Implement support for sending OIDC auth tokens with request

[acoulton]

Reproduced the new README section here for ease

Adds support for OIDC token authentication for HTTP target tasks. Tokens will be issued and signed by the emulator's (insecure) private key. The emulator will accept, and issue tokens for, any ServiceAccountEmail provided by the client.

By default, the JWT iss (issuer) field is "http://cloud-tasks-emulator".

Optionally, the emulator can host an HTTP OIDC discovery endpoint. This allows your application to verify tokens at runtime with the full online flow.

To enable this, specify an issuer value at startup:

go run ./ -openid-issuer http://localhost:8980

With this flag:

• JWTs will have an iss field of http://localhost:8980
• The discovery document will be available at http://localhost:8980/.well-known/openid-configuration
• The emulator's public key(s) (in JWK format) will be available at http://localhost:8980/jwks

The -openid-issuer URL can be any http://hostname:port value that your application code can route to. The endpoint listens on 0.0.0.0 for easy use in docker / k8s environments.

You can, of course, export the content of the /jwks url if you prefer to hardcode the public keys in your application.

[aertje]

Thanks @acoulton ! I'm afraid I won't get to this until the weekend though!

[acoulton]

No problem

[aertje]

What a fantastic piece of work!

[acoulton]

What a fantastic piece of work!

Thanks very much :) Did you mean to merge it?

[aertje]

Just waiting for a colleague (with more go experience) to have a look too.

[acoulton]

ah, no worries - thanks.

[acoulton]

Fab, thanks :)