google-cloud-rust icon indicating copy to clipboard operation
google-cloud-rust copied to clipboard
verified publisher icon googleapis

Support domain wide delegation

Open maxammann opened this issue 7 months ago • 2 comments

Is your feature request related to a problem? Please describe. I want to generate authentication headers and use Google Workspace domain wide delegation

Describe the solution you'd like Allow to set "sub" to a custom value: https://github.com/googleapis/google-cloud-rust/blob/847a924abf9ac12c49b312e599a0a214f9215295/src/auth/src/credentials/service_account.rs#L375

maxammann avatar May 20 '25 14:05 maxammann

Thank you for raising this request.

I looked into this and I found that Domain Wide Delegation is supported only when a token is obtained through oauth2.googleapis.com. DWD is not supported in a self-signed jwt. When I try adding the sub claim to a self-signed-jwt and use it in a request that expects DWD, I get a 401. Whereas a token obtained through oauth2.googleapis.com works for the same service account.

In the rust auth library, we support only self-signed jwt. I will investigate internally regarding this and update back here.

sai-sunder-s avatar May 22 '25 00:05 sai-sunder-s

If relevant I can post some example code how to make this work with service accounts in python or other Rust libraries.

    let auth = yup_oauth2::ServiceAccountAuthenticator::builder(client_secret)
        .subject("some email")
        .build()
        .await?;

maxammann avatar May 22 '25 10:05 maxammann