I tried to generate ID Token from service account for accessing the endpoint protected by IAP with following codes.
let audience = "AUDIENCE";
let creds = CredentialsFile::new_from_file("PATH TO SERVICE ACCOUNT JSON").await?;
let ts = google_cloud_auth::idtoken::IdTokenSourceConfig::new()
.with_credentials(creds)
.build(audience)
.await?;
match ts.token().await {
Ok(token) => Ok(token),
Err(err) => Err(err.into()),
}
But I got JwtError(Error(InvalidAudience)).
I generated ID token with this bash script and I can pass IAP with that ID token.
Two ID token generated from Rust script and bash script were the same token.
I tried to generate ID Token from service account for accessing the endpoint protected by IAP with following codes.
But I got
JwtError(Error(InvalidAudience))
.I generated ID token with this bash script and I can pass IAP with that ID token. Two ID token generated from Rust script and bash script were the same token.
I found the cause. That error happens this line. https://github.com/yoshidan/google-cloud-rust/blob/0ab379e04857fbc1e09086d7f703a5806759fa7a/foundation/auth/src/token_source/mod.rs#L74
This
get_exp
function callsjsonwebtoken::Validation::default()
. https://github.com/yoshidan/google-cloud-rust/blob/0ab379e04857fbc1e09086d7f703a5806759fa7a/foundation/auth/src/token_source/mod.rs#L70jsonwebtoken::Validation::default
funciton callsjsonwebtoken::Validation::new
function. https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L141jsonwebtoken::Validation::new
function setsjsonwebtoken::Validation.validate_aud
trueand
jsonwebtoken::Validation.aud`None
. https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L98-L104So
get_exp
function always passes this branch. https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L289-L291I think there are two options to resolve this issue.
jsonwebtoken::Validation.aud
to expected audiencejsonwebtoken::Validation.validate_aud
asfalse
Which do you think is better?
Thank you.