Create and verify Google OIDC tokens

[salrashid123]

FR to provide an API to create and verify google OIDC tokens.

These id_tokens are based on service account type flows (service_ccount.json, compute engine, impersonatec credentials) and can be used to invoke user services behind Cloud Run, Cloud Functions and behind IAP

GCP services like nodejs and google-auth-python currently support an API to generate these tokens if given a serivce account credential or on compute engine.

if it helps, here are mostly raw imementations:

• golang
• python
• java
• nodejs

Suggested interface would be

• Create .getGoogleIdToken(audience)

• Verify .verifyIdToken(token, audience, cert_url)

[coryan]

I assume "OIDC" stands for Open ID Connect? It is unlikely that this would get prioritized. This repository for the client libraries for Google services, which AFAIK, do not use OIDC. We wouldn't write a client library for a user service hosted on GCP (with whatever authentication they decide to use). And we are not writing a general-purpose authentication library.

I am going to keep this open for a while in case I missed something, and close it unless I hear of a good reason why we should do this.

[coryan]

A great intro to these and how they could be useful is here:

https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b

Note that we now have an API to create these via the IAM credentials service:

google-cloud-cpp/google/cloud/iam/iam_credentials_client.gcpcxx.pb.h

Line 128 in 67f0ddc

GenerateIdToken(std::string const& name,

[devjgm]

Still need this.

[salrashid123]

@devjgm just to understand, there are several ways to get a google_id token from google credentials (atleast in other google-auth language libraries)

which mode(s) are you looking at for this?

• from a service account json file (or generally, with a private key)
• from gcp metadata server
• from iamcredentials api and self-impersonation (mentioned in a previous comment)
• from workload identity federation based credentials (which actually involves the iamcredentials ultimately ref)

its ofcourse possible to generate an id_token on your own but its really much better to source from a known google credential (meaning +1 for this request)

[devjgm]

I'm not sure of the details. But we were revisiting old issues, closing some and keeping some open. I just commented on this one indicating that we didn't want to close it.

[salrashid123]

for ref, here's a basic (read: i don't really know cpp) standalone google id token generator for the first two scenarios described above.

[coryan]

Reviewing old feature requests, still wanted, but cannot allocate time right now.

[coryan]

@hitesh-kumain if you are interested, consider sending a PR to fix part of this bug. It would be useful to have a way to validate OIDC tokens, as such code can be used in Cloud Run C++ services.

Make sure you do not introduce new dependencies. There are some (very nice) examples in this bug, but dependency management in C++ is difficult, adding new dependencies requires much deliberation. In this case, all we need should already be there.

Once you send a PR I will assign the bug to you. Do not worry, nobody is likely to start on this for the next few weeks.

[coryan]

Realistically we do not have time to work on this for the foreseeable future. Closing for now.