Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(auth): use iap aud for gce metadata server #646

Merged
merged 3 commits into from
Oct 11, 2023
Merged

fix(auth): use iap aud for gce metadata server #646

merged 3 commits into from
Oct 11, 2023

Conversation

jonathan-johnston
Copy link
Contributor

Summary

The official documentation is wrong on this, we need to fetch the ID token from the GCE metadata server using the typical audience value instead of the URI as stated here:
https://cloud.google.com/docs/authentication/get-id-token#metadata-server

@jonathan-johnston jonathan-johnston requested review from TheKevJames and a team as code owners October 11, 2023 14:57
@jonathan-johnston jonathan-johnston requested review from eddiedialpad, aherrada-dialpad and juanamari94 and removed request for a team October 11, 2023 14:57
TheKevJames
TheKevJames approved these changes Oct 11, 2023
View reviewed changes
Copy link
Member

@TheKevJames TheKevJames left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha! I know it was weird that the GCE Metadata option had the special case :P

Makes sense, overall, though I'm still a bit confused as to why Juan's code is working on staging..

@jonathan-johnston
Copy link
Contributor Author

@TheKevJames I believe that was actually a different use case, using the user auth method with SA impersonation. I reproduced the failure in staging with the metadata server ID token fetch, so at least it should fail consistently.

shaundialpad
shaundialpad approved these changes Oct 11, 2023
View reviewed changes
Copy link
Contributor

@shaundialpad shaundialpad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

classic GOOG

@jonathan-johnston jonathan-johnston merged commit 862585c into master Oct 11, 2023
@jonathan-johnston jonathan-johnston deleted the jonjon/iap-aud-for-metadata-server branch October 11, 2023 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaundialpad shaundialpad shaundialpad approved these changes

@juanamari94 juanamari94 juanamari94 approved these changes

@TheKevJames TheKevJames TheKevJames approved these changes

@eddiedialpad eddiedialpad Awaiting requested review from eddiedialpad eddiedialpad is a code owner automatically assigned from talkiq/engineering

@aherrada-dialpad aherrada-dialpad Awaiting requested review from aherrada-dialpad aherrada-dialpad is a code owner automatically assigned from talkiq/engineering

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jonathan-johnston @TheKevJames @juanamari94 @shaundialpad