Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not generate ID Token #248

Closed
h-michael opened this issue Mar 29, 2024 · 1 comment · Fixed by #249
Closed

Can not generate ID Token #248

h-michael opened this issue Mar 29, 2024 · 1 comment · Fixed by #249

Comments

@h-michael
Copy link
Contributor

I tried to generate ID Token from service account for accessing the endpoint protected by IAP with following codes.

let audience = "AUDIENCE";
let creds = CredentialsFile::new_from_file("PATH TO SERVICE ACCOUNT JSON").await?;
let ts = google_cloud_auth::idtoken::IdTokenSourceConfig::new()
    .with_credentials(creds)
    .build(audience)
    .await?;

match ts.token().await {
    Ok(token) => Ok(token),
    Err(err) => Err(err.into()),
}

But I got JwtError(Error(InvalidAudience)).

I generated ID token with this bash script and I can pass IAP with that ID token.
Two ID token generated from Rust script and bash script were the same token.

I found the cause. That error happens this line.

google-cloud-rust/foundation/auth/src/token_source/mod.rs

Line 74 in 0ab379e

jsonwebtoken::decode::<ExpClaim>(self.id_token.as_str(), &decoding_key, &validation)?

This get_exp function calls jsonwebtoken::Validation::default().

google-cloud-rust/foundation/auth/src/token_source/mod.rs

Line 70 in 0ab379e

let mut validation = jsonwebtoken::Validation::default();

jsonwebtoken::Validation::default funciton calls jsonwebtoken::Validation::new function.
https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L141

jsonwebtoken::Validation::new function sets jsonwebtoken::Validation.validate_aud trueandjsonwebtoken::Validation.aud None`.
https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L98-L104

So get_exp function always passes this branch.
https://github.com/Keats/jsonwebtoken/blob/08601f727bea94b61e8d98901b63e43ae1bce350/src/validation.rs#L289-L291

I think there are two options to resolve this issue.

  1. set jsonwebtoken::Validation.aud to expected audience
  2. set jsonwebtoken::Validation.validate_aud as false

Which do you think is better?

Thank you.
@yoshidan
Copy link
Owner

yoshidan commented Apr 9, 2024

Thanks for your report!

  1. set jsonwebtoken::Validation.aud to expected audience

Since the expected Audience should be a valid one, we think this is the better choice.

h-michael added a commit to h-michael/google-cloud-rust that referenced this issue Apr 11, 2024
@h-michael
Set expected audience to jsonwebtoken validation option to get ID token
8e0ccba 
jsonwebtoken validate audience as default validation rule. But audiecen
is not set. So set "target_audience" in the claim as expected audience.

target_audiecen:
https://cloud.google.com/iap/docs/authentication-howto?hl=ja#bash

See for more details:
yoshidan#248
@h-michael h-michael mentioned this issue Apr 11, 2024
Merged
yoshidan pushed a commit that referenced this issue Apr 12, 2024
@h-michael
Set expected audience to jsonwebtoken validation option to get ID tok…
ff65df4 
…en (#249)

jsonwebtoken validate audience as default validation rule. But audiecen
is not set. So set "target_audience" in the claim as expected audience.

target_audiecen:
https://cloud.google.com/iap/docs/authentication-howto?hl=ja#bash

See for more details:
#248
@h-michael h-michael mentioned this issue May 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set expected audience to jsonwebtoken validation option to get ID token h-michael/google-cloud-rust
2 participants
@yoshidan @h-michael