is it possible to exchange a self-signed JWT (generated with this library) for a Google-signed ID token? (as reported in the official google docs)
It is possible to use this plugin to create a signed JWT starting from a GCP (Google Cloud Platform) service account. A CreateSignedAsymmetricTokenWithPemKey server action must be used using as PrivateKey and Issuer respectively the private_key and client_email present in the JSON service account; as Algorithm RS256; as KeyId and PrivateKeyPassword any text value; as Audience "https://oauth2.googleapis.com/token"; as Expiration the current datetime plus one hour.
The generated JWT can be exchanged, by sending a POST request to “https://www.googleapis.com/oauth2/v4/token”, to obtain an ACCESS TOKEN or an IDENTITY TOKEN.
To obtain an IDENTITY TOKEN a target_audience must be specified in the Claims:
To obtain an ACCESS TOKEN a scope must be specified in the Claims:
As reference, I reported also the python code that was useful to me in figuring out the solution:
Thanks for this post. it is very useful.
I have an additional question.. I do not have one PrivateKeyPassphrase.. I Have Cert_url,
How can I use est in this
How can I use est in this CreateSignedAsymmetricTokenWithPemKey
Hi, you simply need your private_key and client_email. PrivateKeyPassphrase is useless. you can use ANY text value for PrivateKeyPassphrase in CreateSignedAsymmetricTokenWithPemKey, as I did in the attached image.
@pippo
I made it the same as the image
but i have this error
Pay attention to the format of your PrivateKey. It must be like this:
Remove "\n" and create new lines in the text instead
Ohh Thank you very much.. it worked perfectly.
hi @pippo
sorry to bother you again.
I am trying to call an api with the token (Encode Token), But i have 401 Unauthorized
what am I doing wrong?