id_token with google provider not oidc

[sourcesoft]

Use Case

I tried to use the regular google provider with https://www.googleapis.com/auth/gmail.readonly and https://www.googleapis.com/auth/userinfo.email scopes which should give me id_token too. However when using Vault, vault read only returns the access_token not any data from the extra_data.id_token. Is there a way to get this info for other providers without using the oidc provider type? Or maybe this is possible with the current code or with a small modification to basic.go file?

Describe the Solution You Would Like

vault read */google*/creds/123 could return something like

Key             Value
---             -----
access_token    ya29.a...
expire_time     2021-04-19T12:18:07.017419Z
type            Bearer
id_token   ey..... // new field maybe

Thank you

[sourcesoft]

I added my POC solution here https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/pull/48

[impl]

Hi @sourcesoft,

Thanks for opening this! It looks like Google actually provides the required .well-known/openid-configuration document (https://accounts.google.com/.well-known/openid-configuration) to upgrade to the OpenID provider on our side. If we made this change, we would accept the other provider options for OpenID, so you could write something like:

$ vault write google/config \
    provider=google \
    provider_options=extra_data_fields=id_token,id_token_claims

This would add the openid scope to requests, but I believe that scope is a subset of the userinfo.email scope anyway. Would that work for you?

[impl]

You can try #53 to see if it gets you what you need. Let me know if not and we can work through it. Otherwise, I'll plan on merging it in a couple of days.

[impl]

I went ahead and merged that change, so this functionality will be part of the next release. Thanks for your feedback! Feel free to reopen this issue or create a new one if you need anything else.