Consider implementing OpenID Connect ID Token-based credentials for service accounts

[lesv]

This would satisfy the Identity-aware Proxy use case as well as a few other niche cases that have come up.

Context:
https://gist.github.com/jonparrott/cffca2fa7881e03fbe6ff7c25773c9cf
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py#L121

See googleapis/google-auth-library-python#130 for additional context.

[salrashid123]

@broady @JustinBeckwith @ptone

I can implement it in ImpersonatedCredentials.java pretty easily (its just an API call to iamcredentials.generateIdToken()

however, i'd like confirmation the interface is ok below.

Note, the verifyIdToken may involve a 3rd party library. Her'es an example of getting and verifying ID tokens on service accounts, compute engine

• https://gist.github.com/salrashid123/c2502938d90639a675216216abd6079f#file-googleidtoken-java-L170

• google-auth-library-java/credentials/java/com/google/auth/IdTokenProvider.java

public interface IdTokenProvider {

  class IdTokenProviderException extends RuntimeException {
  String getIdToken(String target_audience);
  String getIdToken(String target_audience, boolean include_email);

  /* TODO: java 1.8+ supports statics in interface defintions.
   * boolean verifyIdToken(String idToken, String audience);
  */
}

---

• google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

public String getIdToken(String target_audience) {
   // issue idToken with given audience
   return "theIdToken"
}

public String getIdToken(String target_audience, boolean include_email) {
   // issue idToken with given audience and include the email claim
   return "theIdToken"
}

public static boolean verifyIdToken(String idToken, String audience) {
  // verify id token for signature, exp and audience
  return true;
}

[JustinBeckwith]

I think @chingor13 is actively working on something in this space.

[salrashid123]

ok, let me know if there's any part i can assit with, the impersonatedCredential's implementation of idtokens is here if you need https://gist.github.com/salrashid123/2cd2fb924fa9e4435273abae86b35597

• I also found we've got googleapis based verification here. https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token the python, nodejs samples in that link have verification off off the -auth library set. its upto you if you want to provide a verify step as part of google-auth-java or leave it outside (IMO, including it makes it consistent w/ python, nodejs)

[chingor13]

To clarify, I have been actively working on the JWTCredentials implementation, but not the IdToken implementation.

For the interface, this library does not generally like to return the primitive tokens as the primary return types. Instead, I'd prefer to return a Credentials implementation that can be used with our downstream client libraries. So instead of returning the id token as a String, we'd prefer to return an IdTokenCredentials instance that implements Credentials. The user could use these credentials with a google-cloud-java library. We could provide an accessor on IdTokenCredentials to return the raw token similar to how OAuth2Credentials#getAccessToken() returns an oauth2 token for inspection.

So perhaps the interface should be something like:

public interface IdTokenProvider {
  IdTokenCredentials idTokenWithAudience(String audience);
}

A few other things to consider:

• Does the interface need to be public?
• Can you clarify why the version with include_email is necessary?

Note that we do have an IdToken implementation in google-oauth-client that does include verification.

[salrashid123]

• re: returning a Credential. SGTM.

• re: include_email. Well, thats just to make it parity with the underlying API for iamcredentials.generateIdToken()
  delegates isnt' included since its inherited automatically from the sourceCredentials

re: public interface IdTokenProvider { ...ah...i don't think you can make the interface private outside of hte package...AFAIK

re: verify step being done outside library
thats fine by me.

---

note, i wrote up the flows here but so far just used a 3rd party library for java for serviceAccounts. Once impersonatedCredentials in any language is available, i'll add it in there

• https://github.com/salrashid123/salrashid123.github.io/tree/master/google_id_token

---

Are you ok w/ a PR for starters that implements idtokens at the moment?

[chingor13]

Yep, let's go ahead and start on this.

[salrashid123]

i've got the code ready but wanted confirmation
I've basically created a new IdTokenCredential which accepts a source GoogleCredential that implements an IdTokenProvider interface

• IdTokenCredentials:

public static IdTokenCredentials create(GoogleCredentials sourceCredentials, String targetAudience,
      List<String> options) {

• IdTokenProvider interface

IdToken idTokenWithAudience(String targetAudience, List<String> options);

I wanted to confirm this is ok (i've got it working but before i file the PR and testcase...

---

sample usage

 String credPath = "/svc.json";
 String targetAudience = "https://myapp-6w42z6vi3q-uc.a.run.app";

• ADC

// ADC (ServiceAccount)
// export GOOGLE_APPLICATION_CREDENTIALS=svc.json
GoogleCredentials adcCreds = GoogleCredentials.getApplicationDefault();
//IdTokenCredentials tokenCredential = IdTokenCredentials.create(adcCreds, targetAudience);
IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
  .setSourceCredentials(adcCreds)
  .setTargetAudience(targetAudience).build();

• ServiceAccountCredentials:

// ServiceAccountCredentials
ServiceAccountCredentials saCreds = ServiceAccountCredentials
       .fromStream(new FileInputStream(credPath));
saCreds = (ServiceAccountCredentials) saCreds.createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));

IdTokenCredentials tokenCredential = IdTokenCredentials.create(saCreds, targetAudience);

• ImpersonatedCredentials

// ImpersonatedCredentials
ImpersonatedCredentials imCreds = ImpersonatedCredentials.create(saCreds,
   "impersonated-account@project.iam.gserviceaccount.com", null,
   Arrays.asList("https://www.googleapis.com/auth/userinfo.email"), 300);

IdTokenCredentials tokenCredential = IdTokenCredentials.create(imCreds, 
   targetAudience, Arrays.asList(ImpersonatedCredentials.INCLUDE_EMAIL));

• ComputeCredentials:

// ComputeEngineCredentials
ComputeEngineCredentials caCreds = ComputeEngineCredentials.create();

IdTokenCredentials tokenCredential = IdTokenCredentials.create(caCreds, 
  targetAudience, 
  Arrays.asList(ComputeEngineCredentials.ID_TOKEN_FORMAT_FULL, 
                        ComputeEngineCredentials.ID_TOKEN_LICENSES_TRUE));               

• then with any of the above, invoke the target endpoint

// Invoke the API
GenericUrl genericUrl = new GenericUrl("https://myapp-6w42z6vi3q-uc.a.run.app");
HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
HttpTransport transport = new NetHttpTransport();
HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
request.setThrowExceptionOnExecuteError(false);
HttpResponse response = request.execute();
String r = response.parseAsString();
System.out.println(r);

System.out.println(tokenCredential.getIdToken().getTokenValue());
System.out.println(tokenCredential.getIdToken().getExpirationTime());
System.out.println(tokenCredential.getIdToken().getAudience());

If this looks ok (vs something like deriving an idtokencredential directly from another credential idtokencredential = computecredential.getIDToken(aud,etc) ...let me know; i think the latter is a bit complecated since i have to figure out how to do automatic refresh by chaining both credentials....I think its cleaner with what i've got here