Skip to content

feat: experimental service account iam endpoint flow for id token #1258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
arithmetic1728 merged 6 commits into from
Mar 28, 2023
Merged

feat: experimental service account iam endpoint flow for id token #1258

arithmetic1728 merged 6 commits into from
Mar 28, 2023

Conversation

@arithmetic1728
Copy link
Contributor

@arithmetic1728 arithmetic1728 commented Mar 24, 2023
edited
Loading

For service account credentials, implement a new ID token flow which uses iam.generateIdToken endpoint. This feature is currently experimental since iam endpoint doesn't support setAzpToEmail option yet. The ID token generated by this new flow will have a different azp claim (it uses id instead of email)

Design doc: go/googleapis-auth-id-token-iam-for-tpc

Example usage:

from google.oauth2 import service_account
import google.auth.transport.requests

cred = service_account.IDTokenCredentials.from_service_account_file(
    '/usr/local/google/home/sijunliu/wks/creds/nondca/srv.json',
    target_audience = "https://pubsub.googleapis.com",
)

# Trigger IAM endpoint flow.
# Note this feature is still experimental since setAzpToEmail is
# not supported yet
cred = cred._with_use_iam_endpoint(True)
req = google.auth.transport.requests.Request()

cred.refresh(req)
print(cred.token)

@arithmetic1728 arithmetic1728 marked this pull request as ready for review March 27, 2023 21:59
@arithmetic1728 arithmetic1728 requested review from a team as code owners March 27, 2023 21:59
clundin25
clundin25 reviewed Mar 28, 2023
View reviewed changes
clundin25
clundin25 reviewed Mar 28, 2023
View reviewed changes
@arithmetic1728 arithmetic1728 merged commit 8ff0de5 into main Mar 28, 2023
@arithmetic1728 arithmetic1728 deleted the id_token_jwt branch March 28, 2023 18:59
@release-please release-please bot mentioned this pull request Mar 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangyutongg wangyutongg Awaiting requested review from wangyutongg

1 more reviewer

@clundin25 clundin25 clundin25 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arithmetic1728 @clundin25