Generating an id_token from a UserCredential

[flagbug]

I'd like to generate an id_token that I can use to call an authenticated Google Cloud Run service with this library. I'd like to use the Application Default Credentials for this, so developers can run the exact same code locally on their machine, as well as on Compute engine.

The code I came up with is the following:

GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync();
var token = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("https://%URL_PLACEHOLDER%.run.app"));
string bearerToken = await token.GetAccessTokenAsync();

Unfortunately this breaks down with System.InvalidOperationException: UnderlyingCredential is not an OIDC token provider. Only ServiceAccountCredential, ComputeCredential are supported OIDC token providers. at GetOidcTokenAsync

Optimally I'd like to strongly avoid having every developer download a service account key file locally on their machine and rather just have them run gcloud auth application-default login to save their own credentials.

Is this something that's supposed to work with this library? If not, is there a better way to achieve this, rather than generating and downloading a service account key?

[amanda-tarafa]

UserCredential does not support OIDC token emission, currently the only way to access IAP secured resources using the .NET libraries (and all other language libraries if I remember correctly) is with a service account or with the Compute default credentials (which includes App Engine, Cloud Run, etc.)

You can authenticate individual users but it's rather a manual step, and you would need different code for dev than for prod.

I will flag this issue internally to the Auth team so that we can explore the possibilities of supporting this use case better. But, even if the decision is made to add this support, it will probably be across libraries for all languages, so it will take some time to plan and actually execute.

I'm sorry I cannot give you a better answer.

[flagbug]

Thank you for the super fast answer @amanda-tarafa! That's a bit unfortunate to hear and it would be awesome if it would just work™, but I guess the simple workaround is to use a separate service account per developer for now. I'l close this issue as my question has been answered 🙌

[amanda-tarafa]

We have received an internal request to support this use case as well. (FYI @matejr)

I did flagged this issue to the Auth team a couple of weeks ago, but I forgot to add it to our own backlog. I'll be doing so shortly. Still no guarantees that this will get done sooner or later.

[amanda-tarafa]

@flagbug , @matejr, We are working on #1838 which addresses #1312 by adding support for impersonated credentials. It's not exactly the use case requested by this issue, but it might help you. Given a UserCredential, you will be able to impersonate a ServiceAccountCredential, the resulting impersonated credential will support OIDC tokens.

[salrashid123]

cloud run,gcf allows for usercredential's id_tokens as auth but thats bit of a misuse of those tokens in the first place (eg,, the token from gcloud auth print-identity-token if based on a user embeds a static aud: value which just happens to be accepted buy those services (the aud client id is actually for the gcloud cli...)

the correct approach here woudl be to use the directed aud: value which you can acquire via couple steps through service account impersonation

ref in go
googleapis/google-api-go-client#927 (comment)