Skip to content

Commit

Permalink
fix(auth): use the full format for the JWT payload in IAPToken (#765)
Browse files Browse the repository at this point in the history 
Some of the GCP products when retrieving the JWT token from the GCE
Metadata Server come with the `email` claim, but some have recently
started not returning that claim as part of the JWT payload. Adding the
`format=full` query parameter to the GCE Metadata Server API seems to
return the `email` claim for these cases, along with other GCE Metadata
which for the time being we do not need and thus, we discard.

[See these docs for more
information.](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature)
  • Loading branch information
@juanamari94
juanamari94 authored Jun 14, 2024
1 parent 73cb014 commit b21ee3b
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion auth/gcloud/aio/auth/token.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
)
GCE_ENDPOINT_ID_TOKEN = (
f'{GCE_METADATA_BASE}/instance/service-accounts'
'/default/identity?audience={audience}'
'/default/identity?audience={audience}&format=full'
)
GCLOUD_ENDPOINT_GENERATE_ACCESS_TOKEN = (
'https://iamcredentials.googleapis.com'
Expand Down
2 changes: 1 addition & 1 deletion auth/pyproject.toml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "gcloud-aio-auth"
version = "5.3.1"
version = "5.3.2"
description = "Python Client for Google Cloud Auth"
readme = "README.rst"

Expand Down

0 comments on commit b21ee3b

Please sign in to comment.