google / oauth2l

oauth2l ("oauth tool") is a simple CLI for interacting with Google API authentication.
Apache License 2.0
652 stars 81 forks source link

Support id_token for JWT path #123

Open gfrankliu opened 3 years ago

gfrankliu commented 3 years ago

I tried to generate an id_token to test Google Cloud Run, but

oauth2l fetch --type=jwt  --audience="https://hello-my-cloud-run.a.run.app" --credentials=$HOME/Documents/my-service-account-private-key.json --output_format=json
{
  "access_token": ".......",
  "expiry": "2021-07-28T01:07:05.242408872-07:00",
  "token_type": "Bearer"
}

It only outputs the access_token, but no id_token.

I tried this token in curl against my cloud run url and got error:

< www-authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"
andyrzhao commented 3 years ago

Hi @gfrankliu, can you see if this is the same issue as https://github.com/google/oauth2l/issues/119? If so, it should have been fixed in release 1.2.1, and you could try again with the updated binary. Thanks!

gfrankliu commented 3 years ago

Yesterday I tried both prebuilt binary from https://storage.googleapis.com/oauth2l/latest/linux_amd64.tgz and built myself from the latest source (master). Same results.

andyrzhao commented 3 years ago

Discussed with @gfrankliu offline and came up with the following findings:

  1. oauth2l currently only supports retrieving id_token for 3LO path (client id credentials) & openid scopes. The id_token that @gfrankliu is looking for is JWT based (using service account credentials) and supported by gcloud tool https://medium.com/google-cloud/easily-generate-google-signed-id-token-with-token-generator-d25b7e235f2e. This is a feature gap for oauth2l. We will use this issue to track this feature support.
  2. There are some bugs with id_token caching that will be fixed by PR #124