Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try to use OIDC token from metadata server as first option #1787

Closed
wants to merge 3 commits into from
Closed

Try to use OIDC token from metadata server as first option #1787

wants to merge 3 commits into from

Conversation

joehan
Copy link
Collaborator

@joehan joehan commented Jun 28, 2022

Taking a crack at switching the Tasks code to use ID tokens from the Metadata

@joehan joehan requested a review from lahirumaramba June 28, 2022 18:00
@joehan
Copy link
Collaborator Author

joehan commented Jun 28, 2022

Apologies for the build issues on this - wanted to get something in front of you before i spent time polishing this

lahirumaramba
lahirumaramba requested changes Jun 28, 2022
View reviewed changes
Copy link
Member

@lahirumaramba lahirumaramba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @joehan ! Added a few comments.

src/app/credential-internal.ts Outdated
@@ -32,6 +32,7 @@ const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';
// NOTE: the Google Metadata Service uses HTTP over a vlan
const GOOGLE_METADATA_SERVICE_HOST = 'metadata.google.internal';
const GOOGLE_METADATA_SERVICE_TOKEN_PATH = '/computeMetadata/v1/instance/service-accounts/default/token';
const GOOGLE_METADATA_SERVICE_IDENTITY_PATH = '/computeMetadata/v1/instance/service-accounts/default/token';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks identical to GOOGLE_METADATA_SERVICE_TOKEN_PATH. I think we want to replace default with the service account email. http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${saEmail}/identity?audience=${audience}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahhhh, this was a typo - it should be /identity, not /token

src/functions/functions-api-client-internal.ts
: await this.getUrl(resources, FIREBASE_FUNCTION_URL_FORMAT);
task.httpRequest.url = functionUrl;
try {
const idToken = await this.app.options.credential.getIDToken(functionUrl)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for Extensions use-case we still need a way to pass the service account. Please ignore if you plan to address that in a separate PR.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that within Cloud Functions, default/ is just an alias for whatever service account the function is running as. For extensions, this is the service account we'd want to pass in anyways

joehan
joehan commented Jun 28, 2022
View reviewed changes
src/app/credential.ts
* @param audience The URL this token will be used to call.
* @returns A base64 encoded OIDC token.
*/
getIDToken(audience: string): Promise<string>;
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It ok to add to this interface? or is this a public interface/would require a API review?

@joehan
Copy link
Collaborator Author

joehan commented Jul 14, 2022

Closing in favor of #1812

@joehan joehan closed this Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lahirumaramba lahirumaramba lahirumaramba requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joehan @lahirumaramba