Forbidden with Application Default Credentials

GoogleCloudPlatform / cloud-run-proxy

Local proxy for authenticating requests to Cloud Run

Apache License 2.0

124 stars 20 forks source link

Forbidden with Application Default Credentials #10

Closed iamacarpet closed 2 years ago

iamacarpet commented 2 years ago

Hello,

This isn't working for me when using only ADC

I just get "Forbidden".

I tried this patch:

diff --git a/main.go b/main.go
index 8577665..41ddc8c 100644
--- a/main.go
+++ b/main.go
@@ -280,6 +280,8 @@ func (s *idTokenFromDefaultTokenSource) Token() (*oauth2.Token, error) {
                return nil, fmt.Errorf("missing id_token")
        }

+       fmt.Println(idToken)
+
        return &oauth2.Token{
                AccessToken: idToken,
                Expiry:      token.Expiry,

And when it outputs the token it is trying to use, when decoded, the aud value (audience) is:

764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com

I believe this is the client_id for the gcloud tool itself?

But it doesn't look like Cloud Run is accepting that token.

I've checked and my colleagues can replicate.

Regards, iamacarpet

iamacarpet commented 2 years ago

My mistake, looks like it does work on a newly created demo service in GCR....

Our existing had this set:

But this begs the question, how does it work if the audience is wrong?

Is Cloud Run not verifying the audience?

iamacarpet commented 2 years ago

So creating an id_token with IamCredentials.GenerateIdToken and setting the audience to "demo", it does fail with 401.

This means it must be verifying the audience value somehow, but then why is the ADC token allowed through?

Checking against https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=... for sanity and I get:

{
  "issued_to": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
  "audience": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
  "user_id": "...",
  "expires_in": 1743,
  "email": "...@....com",
  "email_verified": true,
  "issuer": "https://accounts.google.com",
  "issued_at": 1645198558
}

So, I'm confused.... Am I fundamentally misunderstanding something about how the tokens work, or is an audience of 764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com whitelisted somehow, allowing you to use the the token returned from the ADC creds as basically unscoped (can access any Cloud Run service)?

iamacarpet commented 2 years ago

I can only assume the latter point about it being whitelisted somewhere is true, as using this method with IAP protected services fails with:

Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com) doesn't match expected value (....-....apps.googleusercontent.com))

sethvargo commented 2 years ago

Hey @iamacarpet - I responded to your query on the alpha testers list, so I'm going to go ahead and close this out.