Access token for Cloud Function about goth HOT 14 CLOSED

@krishandley Yes, that sounds right. Those claims will be passed to individual GenServers managed by Goth.

from goth.

This is currently not possible, we're missing ability to pass target_audience parameter when generating the JWT token. See #58. If you'd like to explore this further and send a PR, it will be very appreciated but we don't have plans to add it ourselves at the moment. Thanks!

from goth.

Thank you for a quick reply. If I go for a PR, should I start with v1.3.0 ?

from goth.

yeah, please open against the master branch which will become 1.3.0.

from goth.

@wojtekmach I've looked at the codebase and my suggestion would be to introduce the claims override/extends to the source config, which would require replacing sub option to be replaced with claims: %{"sub" => "[email protected]"}, i.e. Goth.start_link(name: MyApp.Goth, source: {:service_account, credentials, [sub: "[email protected]"]}) will become Goth.start_link(name: MyApp.Goth, source: {:service_account, credentials, [claims: %{"sub" => "[email protected]"}]}).

Then they will be merged in JWT.

Let me know if you foresee any issues with that approach. Otherwise I will build a PR. Thank you.

Regards,
Pavel.

from goth.

sounds good! Btw, I just pushed an update to docs so make sure you pull before you work on a patch.

from goth.

@wojtekmach Any estimates on merging #102 ?

from goth.

from goth.

To sum up: As I figured out, even though Google docs ask for a target_audience param to generate cloud function invocation token, it works fine if I submit cloud function URL as a scope instead. Therefore it's possible to get a token ID for cloud function with v1.3.0 and PR #102. The config looks like this: %{source: {:service_account, credentials, scopes: [cloud_function_url]}}

from goth.

@wojtekmach PR #102 and a little trick around scope vs target_audience allow to get cloud function invocation token. However there still room for improvement. Should I go for my previous proposal to add claims in a source config ({:service_account, credentials, [sub: "[email protected]"]} => {:service_account, credentials, [claims: %{"sub" => "[email protected]"}]}) ? That should address all possible edge cases if one needed.

from goth.

Yeah a more general solution is definitely welcome. Please remember to revert parts of the previous PR if they no longer make sense.

from goth.

Sorry to bother you, just writing this in case you happen to know. This did work initially when I had one function.

Maybe I'm doing something wrong, but doesn't seem to work if you have two functions. Adding multiple function urls to the scopes breaks all of them.

I can add Goth multiple times with different ID's to my supervision tree, I don't know if that's a terrible idea or not, but it works.

from goth.

@krishandley since #102 has been merged in master maybe try the master branch with the claims approach? I do not remember it on top of my head, but try something like:

Goth.start_link(
  name: MyApp.Goth,
  source: {
    :service_account,
    credentials,
    [
      claims: %{
        "sub" => "[email protected]",
        "target_audience" => "URL HERE"
      }
    ]
  }
)

from goth.

@paveltyk Thanks for the quick reply. I missed the updated docs for Goth.Token on master.

I wasn't able to figure out the config for multiple functions inside start_link. But calling this before calling a function worked, without needing the claims in the config.

Goth.Token.fetch(%{
  source: {:service_account, credentials, [
    claims: %{"target_audience" => function_url}
  ]}
})

from goth.