google-auth-library-php icon indicating copy to clipboard operation
google-auth-library-php copied to clipboard
verified publisher icon googleapis

feat: Missing full payload in identity token from GCECredentials

Open Januznl opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. We are missing the email of the authorized party when we decode the identity token on Cloud Run in PHP.

At this moment the PHP implementation of the GCECredential class is missing the full payload param on the identity token metadata server request. This is already in place in other SDK's like the python SDK:

https://github.com/googleapis/google-auth-library-python/blob/9cd67425e95faab15e57b258a70506b02bccb799/google/auth/compute_engine/credentials.py#L391

Describe the solution you'd like My suggestion would be to add the param format=full for requests going to v1/instance/service-accounts/default/identity

Januznl avatar Jan 23 '24 14:01 Januznl

Hello! Thank you for your suggestion.

We can add format=full to the GCECredentials request to get the ID Token, but I am not sure how the extra payload would be used / consumed by our customers. Also, which claim specifically are you looking for?

bshaffer avatar Feb 26 '24 15:02 bshaffer

We are missing the field "email" which holds the service account which generated the token. This allows us to identify which service is calling our cloud run app. The cloud-run app uses this service account email to apply in app permissions.

Januznl avatar Feb 29 '24 14:02 Januznl