google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Generate id_token from default credentials

Open dinvlad opened this issue 3 years ago • 2 comments

Is your feature request related to a problem? Please describe.

Currently, google.auth.default() generates Credentials that contain .token that is an access token. We'd like to also generate id_token with the appropriate audience starting from default credentials.

This would allow us to submit requests that use id_token uniformly among different environments:

  • Local Service Account key
  • Cloud Functions
  • Cloud Run
  • App Engine
  • GKE Workload Identity

Describe the solution you'd like

It would be great to add a method to google.auth.credentials.Credentials that allows id_token generation, e.g.

credentials.id_token(audience='https://example.org')

Describe alternatives you've considered So far, we had to rely on piece-meal approaches, like this example from https://github.com/apache/airflow/blob/master/airflow/providers/google/common/utils/id_token_credentials.py

This unnecessarily increases the complexity of third-party apps, and we have to re-implement the same logic in each one of them.

It would be preferable to incorporate such logic into this library instead.

Additional context

dinvlad avatar Aug 14 '20 16:08 dinvlad

@arithmetic1728 I stumbled upon this issue recently. Any plan to add support for user credentials? Or pointer in the right direction?

AndreaGiardini avatar Feb 23 '22 09:02 AndreaGiardini

This is already 2 years old, but it is still not clear why it's impossible to generate id_token for user credentials. The workaround (i.e. id_token_credentials.py) allows to get the id_token, but not for the right audience. I understand that this is not the limitation of the google-auth library itself, but rather something, that is not supported by the Google Auth API, but still, I don't understand what is the root cause for this.

In my use case, I would want to build an API server (exposed via Cloud Endpoints with OIDC authentication) and a CLI tool, that interacts with this server. Currently, I can't simply use google.auth.default() in the CLI, because this wouldn't give me the ID Token with expected audience.

Can someone give me some leads to what am I doing wrong? Thank you!

romanwozniak avatar Jul 28 '22 03:07 romanwozniak