Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for service account access tokens #1829

Merged
merged 2 commits into from
Aug 14, 2024

Conversation

zackcl
Copy link
Collaborator

@zackcl zackcl commented Aug 14, 2024

Resolves #1752

Description

This PR modifies the AuthService to add support for validating service account access tokens in addition to the existing ID token validation. This change allows our application to authenticate requests made using service account credentials.

Changes Made:

  1. Updated the validateUser method in AuthService to handle both ID tokens and access tokens.

  2. Implemented a two-step validation process:

    • First, attempt to validate the token as an ID token.
    • If that fails, attempt to validate it as an access token (reference)
  3. For valid service account access tokens, the method now returns null instead of throwing an error.

  4. Maintained existing functionality for ID tokens to ensure backwards compatibility.

  5. Added appropriate error handling and logging for both token types.

Testing:

  • Tested with both ID tokens and service account access tokens.
  • Verified that existing ID token functionality works as before.
  • Confirmed that service account access tokens are correctly validated.

Future Considerations:

We might want to implement specific handling for service accounts in the future, such as creating a custom payload (email, name, role) or applying specific authorization rules.

Reference:

For your reference, here's an example of code to generate an access token:

const { GoogleAuth } = require('google-auth-library');

async function authenticateServiceAccount() {
  try {
    const auth = new GoogleAuth({
      keyFilename: 'ppl-ees-603b3a01e004.json', // Path to your service account key file
      scopes: 'https://www.googleapis.com/auth/cloud-platform', // Specify the scopes your application needs
    });

    const client = await auth.getClient();
    const accessToken = await client.getAccessToken();
    
    console.log('Access Token:', accessToken); // Use this access token to make authenticated API requests
    return accessToken;
  } catch (error) {
    console.error('Error authenticating service account:', error);
    throw error;
  }
}

authenticateServiceAccount().catch(console.error);

@danoswaltCL
Copy link
Collaborator

@kcalvo-cli maybe we can look at this in SRE mtg, I thought I created a devops ticket but I can't find it. This would allow us to get a proper automated-test service account credential for our QA engineer so that they can hit authenticated UI endpoints.

Since this is a different kind of user, I do wonder what else we have to be mindful of to make sure this is secure. If we could make sure this account's access is only good in the testing environments and has a short expiry, that may suffice?

@danoswaltCL danoswaltCL merged commit 62d2df2 into dev Aug 14, 2024
8 checks passed
@danoswaltCL danoswaltCL deleted the feature/1752-support-access-tokens branch August 14, 2024 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bypass Google Authentication for '/experiments' and '/metric' Endpoints
2 participants