Skip to content

Try to use OIDC token from metadata server as first option#1787

Closed
joehan wants to merge 3 commits intomasterfrom
jh-metadata
Closed

Try to use OIDC token from metadata server as first option#1787
joehan wants to merge 3 commits intomasterfrom
jh-metadata

Conversation

@joehan
Copy link
Member

@joehan joehan commented Jun 28, 2022

Taking a crack at switching the Tasks code to use ID tokens from the Metadata

@joehan joehan requested a review from lahirumaramba June 28, 2022 18:00
@joehan
Copy link
Member Author

joehan commented Jun 28, 2022

Apologies for the build issues on this - wanted to get something in front of you before i spent time polishing this

lahirumaramba
lahirumaramba requested changes Jun 28, 2022
View reviewed changes
Copy link
Member

@lahirumaramba lahirumaramba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @joehan ! Added a few comments.

src/app/credential-internal.ts Outdated
// NOTE: the Google Metadata Service uses HTTP over a vlan
const GOOGLE_METADATA_SERVICE_HOST = 'metadata.google.internal';
const GOOGLE_METADATA_SERVICE_TOKEN_PATH = '/computeMetadata/v1/instance/service-accounts/default/token';
const GOOGLE_METADATA_SERVICE_IDENTITY_PATH = '/computeMetadata/v1/instance/service-accounts/default/token';
Copy link
Member

@lahirumaramba lahirumaramba Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks identical to GOOGLE_METADATA_SERVICE_TOKEN_PATH. I think we want to replace default with the service account email. http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${saEmail}/identity?audience=${audience}

Copy link
Member Author

@joehan joehan Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahhhh, this was a typo - it should be /identity, not /token

src/functions/functions-api-client-internal.ts
: await this.getUrl(resources, FIREBASE_FUNCTION_URL_FORMAT);
task.httpRequest.url = functionUrl;
try {
const idToken = await this.app.options.credential.getIDToken(functionUrl)
Copy link
Member

@lahirumaramba lahirumaramba Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for Extensions use-case we still need a way to pass the service account. Please ignore if you plan to address that in a separate PR.

Copy link
Member Author

@joehan joehan Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that within Cloud Functions, default/ is just an alias for whatever service account the function is running as. For extensions, this is the service account we'd want to pass in anyways

joehan
joehan commented Jun 28, 2022
View reviewed changes
src/app/credential.ts
* @param audience The URL this token will be used to call.
* @returns A base64 encoded OIDC token.
*/
getIDToken(audience: string): Promise<string>;
Copy link
Member Author

@joehan joehan Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It ok to add to this interface? or is this a public interface/would require a API review?

@joehan
Copy link
Member Author

joehan commented Jul 14, 2022

Closing in favor of #1812

@joehan joehan closed this Jul 14, 2022
@lahirumaramba lahirumaramba deleted the jh-metadata branch February 18, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lahirumaramba lahirumaramba lahirumaramba requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joehan @lahirumaramba