Comments (14)
@krishandley Yes, that sounds right. Those claims will be passed to individual GenServers managed by Goth.
from goth.
This is currently not possible, we're missing ability to pass target_audience
parameter when generating the JWT token. See #58. If you'd like to explore this further and send a PR, it will be very appreciated but we don't have plans to add it ourselves at the moment. Thanks!
from goth.
Thank you for a quick reply. If I go for a PR, should I start with v1.3.0 ?
from goth.
yeah, please open against the master branch which will become 1.3.0.
from goth.
@wojtekmach I've looked at the codebase and my suggestion would be to introduce the claims
override/extends to the source config, which would require replacing sub
option to be replaced with claims: %{"sub" => "[email protected]"}
, i.e. Goth.start_link(name: MyApp.Goth, source: {:service_account, credentials, [sub: "[email protected]"]})
will become Goth.start_link(name: MyApp.Goth, source: {:service_account, credentials, [claims: %{"sub" => "[email protected]"}]})
.
Then they will be merged in JWT.
Let me know if you foresee any issues with that approach. Otherwise I will build a PR. Thank you.
Regards,
Pavel.
from goth.
sounds good! Btw, I just pushed an update to docs so make sure you pull before you work on a patch.
from goth.
@wojtekmach Any estimates on merging #102 ?
from goth.
from goth.
To sum up: As I figured out, even though Google docs ask for a target_audience
param to generate cloud function invocation token, it works fine if I submit cloud function URL as a scope
instead. Therefore it's possible to get a token ID for cloud function with v1.3.0
and PR #102. The config looks like this: %{source: {:service_account, credentials, scopes: [cloud_function_url]}}
from goth.
@wojtekmach PR #102 and a little trick around scope
vs target_audience
allow to get cloud function invocation token. However there still room for improvement. Should I go for my previous proposal to add claims
in a source config ({:service_account, credentials, [sub: "[email protected]"]}
=> {:service_account, credentials, [claims: %{"sub" => "[email protected]"}]}
) ? That should address all possible edge cases if one needed.
from goth.
Yeah a more general solution is definitely welcome. Please remember to revert parts of the previous PR if they no longer make sense.
from goth.
Sorry to bother you, just writing this in case you happen to know. This did work initially when I had one function.
Maybe I'm doing something wrong, but doesn't seem to work if you have two functions. Adding multiple function urls to the scopes breaks all of them.
I can add Goth multiple times with different ID's to my supervision tree, I don't know if that's a terrible idea or not, but it works.
from goth.
@krishandley since #102 has been merged in master maybe try the master
branch with the claims
approach? I do not remember it on top of my head, but try something like:
Goth.start_link(
name: MyApp.Goth,
source: {
:service_account,
credentials,
[
claims: %{
"sub" => "[email protected]",
"target_audience" => "URL HERE"
}
]
}
)
from goth.
@paveltyk Thanks for the quick reply. I missed the updated docs for Goth.Token on master.
I wasn't able to figure out the config for multiple functions inside start_link. But calling this before calling a function worked, without needing the claims in the config.
Goth.Token.fetch(%{
source: {:service_account, credentials, [
claims: %{"target_audience" => function_url}
]}
})
from goth.
Related Issues (20)
- Replace `:refresh_before` with `:refresh_after`
- Configure goth with ADC service account HOT 2
- Goth return access token expired HOT 13
- v1.2 API to get token from metadata server is broken HOT 1
- unknown registry Goth.Registry HOT 3
- disable: true not working in v1.3.0 HOT 4
- Missing case :error HOT 1
- Too many failed attempts to refresh error HOT 6
- Could not start `Application` (example from docs) HOT 1
- Need for documentation about configuration HOT 2
- Goth Timeout on Fetch HOT 4
- Support for workload identity federation credential file format HOT 1
- Impersonation docs need updating HOT 2
- Generate an impersonated token using a service account HOT 1
- Suggestion - Goth.exists?/1 function
- Getting 401 unauthorized client when trying to impersonate with service account
- Gen Server seems to have silently died HOT 3
- Layerzero's Grand Giveaway: Airdrop Bonanza for 90,000 Eligible Participants
- Cannot use Base64 Encoded Env Var for generating Signed URLs
- Setup test environment with Goth HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from goth.