-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create and verify Google OIDC tokens #2786
Comments
I assume "OIDC" stands for Open ID Connect? It is unlikely that this would get prioritized. This repository for the client libraries for Google services, which AFAIK, do not use OIDC. We wouldn't write a client library for a user service hosted on GCP (with whatever authentication they decide to use). And we are not writing a general-purpose authentication library. I am going to keep this open for a while in case I missed something, and close it unless I hear of a good reason why we should do this. |
A great intro to these and how they could be useful is here: https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b Note that we now have an API to create these via the IAM credentials service:
|
Still need this. |
@devjgm just to understand, there are several ways to get a google_id token from google credentials (atleast in other google-auth language libraries) which mode(s) are you looking at for this?
its ofcourse possible to generate an id_token on your own but its really much better to source from a known google credential (meaning +1 for this request) |
I'm not sure of the details. But we were revisiting old issues, closing some and keeping some open. I just commented on this one indicating that we didn't want to close it. |
for ref, here's a basic (read: i don't really know cpp) standalone google id token generator for the first two scenarios described above. |
Reviewing old feature requests, still wanted, but cannot allocate time right now. |
@hitesh-kumain if you are interested, consider sending a PR to fix part of this bug. It would be useful to have a way to validate OIDC tokens, as such code can be used in Cloud Run C++ services. Make sure you do not introduce new dependencies. There are some (very nice) examples in this bug, but dependency management in C++ is difficult, adding new dependencies requires much deliberation. In this case, all we need should already be there. Once you send a PR I will assign the bug to you. Do not worry, nobody is likely to start on this for the next few weeks. |
Realistically we do not have time to work on this for the foreseeable future. Closing for now. |
FR to provide an API to create and verify google OIDC tokens.
These
id_tokens
are based on service account type flows (service_ccount.json, compute engine, impersonatec credentials) and can be used to invoke user services behind Cloud Run, Cloud Functions and behind IAPGCP services like nodejs and google-auth-python currently support an API to generate these tokens if given a serivce account credential or on compute engine.
if it helps, here are mostly raw imementations:
Suggested interface would be
Create
.getGoogleIdToken(audience)
Verify
.verifyIdToken(token, audience, cert_url)
The text was updated successfully, but these errors were encountered: