feat: Missing full payload in identity token from GCECredentials

Question

feat: Missing full payload in identity token from GCECredentials

Opened this issue 8 months ago · 2 comments

Is your feature request related to a problem? Please describe.
We are missing the email of the authorized party when we decode the identity token on Cloud Run in PHP.

At this moment the PHP implementation of the GCECredential class is missing the full payload param on the identity token metadata server request. This is already in place in other SDK's like the python SDK:

https://github.com/googleapis/google-auth-library-python/blob/9cd67425e95faab15e57b258a70506b02bccb799/google/auth/compute_engine/credentials.py#L391

Describe the solution you'd like
My suggestion would be to add the param format=full for requests going to v1/instance/service-accounts/default/identity

Answer 1 · 2024-02-26T15:51:08.000Z

Hello! Thank you for your suggestion.

We can add format=full to the GCECredentials request to get the ID Token, but I am not sure how the extra payload would be used / consumed by our customers. Also, which claim specifically are you looking for?

Answer 2 · 2024-02-29T14:42:51.000Z

We are missing the field "email" which holds the service account which generated the token. This allows us to identify which service is calling our cloud run app. The cloud-run app uses this service account email to apply in app permissions.