google-cloud-cpp icon indicating copy to clipboard operation
google-cloud-cpp copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Create and verify Google OIDC tokens

Open salrashid123 opened this issue 5 years ago • 8 comments

FR to provide an API to create and verify google OIDC tokens.

These id_tokens are based on service account type flows (service_ccount.json, compute engine, impersonatec credentials) and can be used to invoke user services behind Cloud Run, Cloud Functions and behind IAP

GCP services like nodejs and google-auth-python currently support an API to generate these tokens if given a serivce account credential or on compute engine.

if it helps, here are mostly raw imementations:

Suggested interface would be

  • Create .getGoogleIdToken(audience)

  • Verify .verifyIdToken(token, audience, cert_url)

salrashid123 avatar Jun 18 '19 01:06 salrashid123

I assume "OIDC" stands for Open ID Connect? It is unlikely that this would get prioritized. This repository for the client libraries for Google services, which AFAIK, do not use OIDC. We wouldn't write a client library for a user service hosted on GCP (with whatever authentication they decide to use). And we are not writing a general-purpose authentication library.

I am going to keep this open for a while in case I missed something, and close it unless I hear of a good reason why we should do this.

coryan avatar Jun 18 '19 12:06 coryan

A great intro to these and how they could be useful is here:

https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b

Note that we now have an API to create these via the IAM credentials service:

https://github.com/googleapis/google-cloud-cpp/blob/67f0ddcdb83bc47198fcdd6a504f18ca471cab8c/google/cloud/iam/iam_credentials_client.gcpcxx.pb.h#L128

coryan avatar Apr 02 '21 22:04 coryan

Still need this.

devjgm avatar Mar 10 '22 19:03 devjgm

@devjgm just to understand, there are several ways to get a google_id token from google credentials (atleast in other google-auth language libraries)

which mode(s) are you looking at for this?

  • from a service account json file (or generally, with a private key)
  • from gcp metadata server
  • from iamcredentials api and self-impersonation (mentioned in a previous comment)
  • from workload identity federation based credentials (which actually involves the iamcredentials ultimately ref)

its ofcourse possible to generate an id_token on your own but its really much better to source from a known google credential (meaning +1 for this request)

salrashid123 avatar Mar 10 '22 22:03 salrashid123

I'm not sure of the details. But we were revisiting old issues, closing some and keeping some open. I just commented on this one indicating that we didn't want to close it.

devjgm avatar Mar 10 '22 22:03 devjgm

for ref, here's a basic (read: i don't really know cpp) standalone google id token generator for the first two scenarios described above.

salrashid123 avatar Mar 16 '22 13:03 salrashid123

Reviewing old feature requests, still wanted, but cannot allocate time right now.

coryan avatar Aug 11 '22 18:08 coryan

@hitesh-kumain if you are interested, consider sending a PR to fix part of this bug. It would be useful to have a way to validate OIDC tokens, as such code can be used in Cloud Run C++ services.

Make sure you do not introduce new dependencies. There are some (very nice) examples in this bug, but dependency management in C++ is difficult, adding new dependencies requires much deliberation. In this case, all we need should already be there.

Once you send a PR I will assign the bug to you. Do not worry, nobody is likely to start on this for the next few weeks.

coryan avatar Sep 12 '22 23:09 coryan

Realistically we do not have time to work on this for the foreseeable future. Closing for now.

coryan avatar Feb 15 '23 19:02 coryan