Comments (7)
@broady @JustinBeckwith @ptone
I can implement it in ImpersonatedCredentials.java pretty easily (its just an API call to iamcredentials.generateIdToken()
however, i'd like confirmation the interface is ok below.
Note, the verifyIdToken
may involve a 3rd party library. Her'es an example of getting and verifying ID tokens on service accounts, compute engine
-
https://gist.github.com/salrashid123/c2502938d90639a675216216abd6079f#file-googleidtoken-java-L170
-
google-auth-library-java/credentials/java/com/google/auth/IdTokenProvider.java
public interface IdTokenProvider {
class IdTokenProviderException extends RuntimeException {
String getIdToken(String target_audience);
String getIdToken(String target_audience, boolean include_email);
/* TODO: java 1.8+ supports statics in interface defintions.
* boolean verifyIdToken(String idToken, String audience);
*/
}
- google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
public String getIdToken(String target_audience) {
// issue idToken with given audience
return "theIdToken"
}
public String getIdToken(String target_audience, boolean include_email) {
// issue idToken with given audience and include the email claim
return "theIdToken"
}
public static boolean verifyIdToken(String idToken, String audience) {
// verify id token for signature, exp and audience
return true;
}
from google-auth-library-java.
I think @chingor13 is actively working on something in this space.
from google-auth-library-java.
ok, let me know if there's any part i can assit with, the impersonatedCredential's implementation of idtokens is here if you need https://gist.github.com/salrashid123/2cd2fb924fa9e4435273abae86b35597
- I also found we've got
googleapis
based verification here. https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token the python, nodejs samples in that link have verification off off the-auth
library set. its upto you if you want to provide a verify step as part ofgoogle-auth-java
or leave it outside (IMO, including it makes it consistent w/ python, nodejs)
from google-auth-library-java.
To clarify, I have been actively working on the JWTCredentials implementation, but not the IdToken implementation.
For the interface, this library does not generally like to return the primitive tokens as the primary return types. Instead, I'd prefer to return a Credentials
implementation that can be used with our downstream client libraries. So instead of returning the id token as a String, we'd prefer to return an IdTokenCredentials
instance that implements Credentials
. The user could use these credentials with a google-cloud-java library. We could provide an accessor on IdTokenCredentials
to return the raw token similar to how OAuth2Credentials#getAccessToken()
returns an oauth2 token for inspection.
So perhaps the interface should be something like:
public interface IdTokenProvider {
IdTokenCredentials idTokenWithAudience(String audience);
}
A few other things to consider:
- Does the interface need to be public?
- Can you clarify why the version with
include_email
is necessary?
Note that we do have an IdToken implementation in google-oauth-client that does include verification.
from google-auth-library-java.
-
re: returning a
Credential
. SGTM. -
re:
include_email
. Well, thats just to make it parity with the underlying API for iamcredentials.generateIdToken()
delegates
isnt' included since its inherited automatically from the sourceCredentials
re: public interface IdTokenProvider {
...ah...i don't think you can make the interface private outside of hte package...AFAIK
re: verify step being done outside library
thats fine by me.
note, i wrote up the flows here but so far just used a 3rd party library for java for serviceAccounts. Once impersonatedCredentials in any language is available, i'll add it in there
Are you ok w/ a PR for starters that implements idtokens at the moment?
from google-auth-library-java.
Yep, let's go ahead and start on this.
from google-auth-library-java.
i've got the code ready but wanted confirmation
I've basically created a new IdTokenCredential
which accepts a source GoogleCredential
that implements an IdTokenProvider
interface
IdTokenCredentials
:
public static IdTokenCredentials create(GoogleCredentials sourceCredentials, String targetAudience,
List<String> options) {
IdTokenProvider
interface
IdToken idTokenWithAudience(String targetAudience, List<String> options);
I wanted to confirm this is ok (i've got it working but before i file the PR and testcase...
sample usage
String credPath = "/svc.json";
String targetAudience = "https://myapp-6w42z6vi3q-uc.a.run.app";
- ADC
// ADC (ServiceAccount)
// export GOOGLE_APPLICATION_CREDENTIALS=svc.json
GoogleCredentials adcCreds = GoogleCredentials.getApplicationDefault();
//IdTokenCredentials tokenCredential = IdTokenCredentials.create(adcCreds, targetAudience);
IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
.setSourceCredentials(adcCreds)
.setTargetAudience(targetAudience).build();
ServiceAccountCredentials
:
// ServiceAccountCredentials
ServiceAccountCredentials saCreds = ServiceAccountCredentials
.fromStream(new FileInputStream(credPath));
saCreds = (ServiceAccountCredentials) saCreds.createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
IdTokenCredentials tokenCredential = IdTokenCredentials.create(saCreds, targetAudience);
ImpersonatedCredentials
// ImpersonatedCredentials
ImpersonatedCredentials imCreds = ImpersonatedCredentials.create(saCreds,
"[email protected]", null,
Arrays.asList("https://www.googleapis.com/auth/userinfo.email"), 300);
IdTokenCredentials tokenCredential = IdTokenCredentials.create(imCreds,
targetAudience, Arrays.asList(ImpersonatedCredentials.INCLUDE_EMAIL));
ComputeCredentials
:
// ComputeEngineCredentials
ComputeEngineCredentials caCreds = ComputeEngineCredentials.create();
IdTokenCredentials tokenCredential = IdTokenCredentials.create(caCreds,
targetAudience,
Arrays.asList(ComputeEngineCredentials.ID_TOKEN_FORMAT_FULL,
ComputeEngineCredentials.ID_TOKEN_LICENSES_TRUE));
- then with any of the above, invoke the target endpoint
// Invoke the API
GenericUrl genericUrl = new GenericUrl("https://myapp-6w42z6vi3q-uc.a.run.app");
HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
HttpTransport transport = new NetHttpTransport();
HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
request.setThrowExceptionOnExecuteError(false);
HttpResponse response = request.execute();
String r = response.parseAsString();
System.out.println(r);
System.out.println(tokenCredential.getIdToken().getTokenValue());
System.out.println(tokenCredential.getIdToken().getExpirationTime());
System.out.println(tokenCredential.getIdToken().getAudience());
If this looks ok (vs something like deriving an idtokencredential directly from another credential idtokencredential = computecredential.getIDToken(aud,etc)
...let me know; i think the latter is a bit complecated since i have to figure out how to do automatic refresh by chaining both credentials....I think its cleaner with what i've got here
from google-auth-library-java.
Related Issues (20)
- Allow AWS Credentials to be provided at runtime HOT 10
- Warning: a recent release failed
- Google Login: Library v1.12.1 and later are broken on Android API 21 HOT 2
- External Cloud RAD Pages are outdated and show v1.7.0 as the latest release
- Integrating google-auth-library-java into OSS-Fuzz HOT 1
- Warning: a recent release failed
- Support for GCP Application Default Credentials strategy HOT 1
- Add support for reading GOOGLE_APPLICATION_CREDENTIALS as a property HOT 1
- Authenticate with Service Account to send Gmail HOT 2
- Missing scopes using WIF when upgrading google-auth-library-java-oauth2-http from 1.13.0 to 1.14.0 HOT 8
- google-auth-library-java-oauth2-http: refresh() doesn't generate new token on each call in GKE HOT 5
- Add reactor Bindings HOT 3
- The horror of chain reaction (GoogleCredentials) HOT 1
- Allow usage of ExternalAccountCredentials custom implementation HOT 2
- unchecked casts are bad practice, but allowed globally in pom.xml
- Add native image support for credentials and appengine modules
- impersonated_service_account not recognized HOT 1
- ExternalAccountCredentials serialization is broken HOT 1
- com.google.firebase.messaging.FirebaseMessagingException: Unknown error while making a remote service call: Error getting access token for service account: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 405 Method Not Allowed", HOT 2
- [kms]: Missing credentials leads to misleading exception and pointless retry loop HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from google-auth-library-java.