Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use id_token instead of access token when service account credential is used #414

Closed
guillaumeblaquiere opened this issue Apr 3, 2020 · 2 comments
Closed

Use id_token instead of access token when service account credential is used #414

guillaumeblaquiere opened this issue Apr 3, 2020 · 2 comments
Assignees
@chingor13
Labels
🚨 This issue needs some love. triage me I really want to be triaged.

Comments

@guillaumeblaquiere
Copy link

Environment details

  • OS: N/A
  • Java version: 11
  • google-auth-library-java version(s): 0.20.0

Steps to reproduce

  1. Deploy a Cloud Run or a Function in mode private (with param --no-allow-authenticated)
  2. Create a service account with the authorization to call the Cloud Run or the Function
  3. Generate key on the service account (here key.json)
  4. Adapt and run this code
       String myUri = "https://...."; //URL of Cloud Run or Cloud Function

        Credentials credentials =  ServiceAccountCredentials
                .fromStream(resourceLoader.getResource("classpath:./key.json")
                        .getInputStream()).createScoped("https://www.googleapis.com/auth/cloud-platform");

        String token = ((IdTokenProvider)credentials).idTokenWithAudience(myUri, Collections.EMPTY_LIST).getTokenValue();

        HttpRequestFactory factory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(credentials));
        HttpRequest request = factory.buildGetRequest(new GenericUrl(myUri));
        HttpResponse httpResponse = request.execute();
        System.out.println(CharStreams.toString(new InputStreamReader(httpResponse.getContent(), Charsets.UTF_8)));

Stacktrace

I get a 401: unauthorized

Any additional information below

OS is N/A because is independent. It doesn't work on Windows 10 but also on linux, and Cloud Run environment

Same behavior if you use the default credential (locally or on GCP)

Credentials credentials = GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");

Possible relation or missing implementation of #303

Thanks!
This was referenced Apr 3, 2020
Closed
Closed
@chingor13
Copy link
Contributor

chingor13 commented Apr 3, 2020
edited

If you want to force using an id token created from an IdTokenProvider credential type like ServiceAccountCredentials, wrap it with an IdTokenCredentials.

ServiceAccountCredentials credentials =  ServiceAccountCredentials
                .fromStream(resourceLoader.getResource("classpath:./key.json")
                        .getInputStream()).createScoped("https://www.googleapis.com/auth/cloud-platform");

// wrap with IdTokenCredentials
IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
     .setIdTokenProvider(credentials)
     .setTargetAudience(targetAudience).build();

HttpRequestFactory factory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(idTokenCredentials));
HttpRequest request = factory.buildGetRequest(new GenericUrl(myUri));
HttpResponse httpResponse = request.execute();

@guillaumeblaquiere guillaumeblaquiere mentioned this issue Apr 3, 2020
Closed
@guillaumeblaquiere
Copy link
Author

Thanks. You can close my PR #417 if useless.

@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chingor13 chingor13

Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Projects
None yet
Milestone
No milestone
3 participants
@chingor13 @guillaumeblaquiere @yoshi-automation