Id tokens support for Google Credentials #12135
Comments
steeve
changed the title
gregestren
added
team-OSS
steeve
changed the title
|
The implementation is fairly easy, although blocked by googleapis/google-auth-library-java#469 |
|
All in all, the core is pretty simple to turn an access token into an id token: creds = IdTokenCredentials.newBuilder()
.setIdTokenProvider((IdTokenProvider)creds)
.setTargetAudience(url)
.build();Note that because of googleapis/google-auth-library-java#469, this doesn't work for The issue is in the target audience, which must be that of the service. So I'm torn. I think the best way forward is to make Also, I have added the following flag to bazel: @Option(
name = "google_credentials_use_idtoken",
defaultValue = "false",
documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
effectTags = {OptionEffectTag.UNKNOWN},
help =
"Whether to use Google credentials in with an ID Token instead of an Access Token"
+ " See https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id for details. Disabled by default."
)
public boolean googleCredentialsUseIdToken; |
|
Also, the issue is that some services only support Id Tokens (IAP, Cloud Run, Cloud Functions) whereas other support Access Tokens, so I think there's a UX issue here in that the auth type may need to be provided by service... |
|
Technically, Google Run services can implement whatever authentication they want. You are not required to use id tokens. Also see: https://cloud.google.com/run/docs/authenticating/end-users |
|
Thank you for your response. Unfortunately services who validate tokens themselves only accept ID tokens, not Access tokens (AFAICT). If I could validate an Access token, indeed the problem would solve itself! Right now I'm sort of hacking it together via a #!/bin/bash
if [[ "${1}" == "build" ]]; then
id_token=$(gcloud auth print-identity-token)
exec ${BAZEL_REAL} ${1} "--remote_header=Authorization=Bearer ${id_token}" ${@:2}
fi
exec ${BAZEL_REAL} ${@} |
|
I stand corrected, apparently access tokens can be verified using the Indeed though, that solves my problem for now, I'll just patch bazel-remote to support this. However, since Google Cloud is apparently moving to these tokens, it may be worthwhile anyhow, once googleapis/google-auth-library-java#469 is merged and released. |
|
Instead of |
|
Oh nice. I'll guess I'll use |
philwo
added
P2
|
Ran across this issue using IAP in a Beyond Corp style environment. As far as I can tell, IAP require an id token -- meaning the work around is to validate the credentials and use the method noted in #12135 (comment). It's non-ideal. support for id tokens would be handy! (Mind you, I could be wrong about IAP. The documentation assumes that one already knows how exactly how everything works.) |
|
For the record, |
|
More context for this, I ended up using a wrapper. I'll open a PR for IdToken support now that it's supported. |
|
Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 1+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team ( |
github-actions
bot
added
the
stale
|
This issue has been automatically closed due to inactivity. If you're still interested in pursuing this, please reach out to the triage team ( |
Description of the problem / feature request:
Provide support for Id token based
--google_flags.Feature requests: what underlying problem are you trying to solve with this feature?
I am running a Bazel cache on Cloud Run.
Cloud Run only support IdToken/JWT based authentication, while Bazel passes a OAuth2 Access token.
This feature request would allow Bazel to use an IdToken instead.
I'm working on a PoC.
What operating system are you running Bazel on?
macOS
What's the output of
bazel info release?Have you found anything relevant by searching the web?
No
The text was updated successfully, but these errors were encountered: