Comments (4)
My mistake, looks like it does work on a newly created demo service in GCR....
Our existing had this set:
But this begs the question, how does it work if the audience is wrong?
Is Cloud Run not verifying the audience?
from cloud-run-proxy.
So creating an id_token
with IamCredentials.GenerateIdToken and setting the audience to "demo", it does fail with 401
.
This means it must be verifying the audience
value somehow, but then why is the ADC token allowed through?
Checking against https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=...
for sanity and I get:
{
"issued_to": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
"audience": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
"user_id": "...",
"expires_in": 1743,
"email": "[email protected]",
"email_verified": true,
"issuer": "https://accounts.google.com",
"issued_at": 1645198558
}
So, I'm confused.... Am I fundamentally misunderstanding something about how the tokens work, or is an audience of 764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com
whitelisted somehow, allowing you to use the the token returned from the ADC creds as basically unscoped (can access any Cloud Run service)?
from cloud-run-proxy.
I can only assume the latter point about it being whitelisted somewhere is true, as using this method with IAP protected services fails with:
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com) doesn't match expected value (....-....apps.googleusercontent.com))
from cloud-run-proxy.
Hey @iamacarpet - I responded to your query on the alpha testers list, so I'm going to go ahead and close this out.
from cloud-run-proxy.
Related Issues (10)
- README says `cloud-sql-proxy` HOT 1
- go install @latest does not install latest HOT 2
- Feature request: command line flag to use access token instead of identity token HOT 1
- Feature Request: Refresh token on expiry (or quit!) HOT 1
- Call out `gcloud beta run services proxy`
- Can it support grpc or http2 services on cloud run as well? HOT 3
- internal ingress HOT 1
- golang.org/x/net CVEs HOT 3
- Can't install google-cloud-sdk-cloud-run-proxy package HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-run-proxy.