Implement support for ID tokens #158
Conversation
|
Thank you very much! I will try to take a look soon; if I'm too slow, please don't hesitate to ping me. |
|
I have made some further changes in an effort to make this more readily landable, but it also ended up breaking the API further. For example it is no longer possible to directly obtain the token as str, and instead the user must make a decision whether they want the access or id token, by calling the appropriate API function. |
nagisa
force-pushed
the
nagisa/id_token
branch
2 times, most recently
from
25de05b to
c926d7d
Compare
For google stuff these are relevant when trying to invoke e.g. Cloud Run services. I'm not at all knowledgeable enough with OAuth to be able to tell if what I'm doing here is correct. This is a breaking change. `AccessToken` got renamed to just `Token` (since it now encompasses more than just `access_token` and there are some changes to the `TokenInfo` type too. Sponsored by: standard.ai
|
this looks alright, but I didn't see where the ID token is used to make requests. Did I miss something? Or are you just preparing the types in order to later be able to make requests using the ID token? (to be honest, after a bit of googling I am still not quite sure what the distinctive feature of ID tokens is :) |
I'm not sure what you're asking, so I'll try to describe my use-case, instead: I have a Google Cloud Run application. This Cloud Run application is set up so that it can only be invoked by certain entities (service accounts). In order to obtain a When a service account is used in combination with the scope above, Google's OAuth returns the ID token only, and the response does not include the access token. With the current And so if the question is “why is there nothing specific done to request ID tokens to be returned”, that's because the If the question is “how would one obtain the ID token to use to put into the header", that's done through For my own purposes this PR as it is right now has everything I need. |
I believe ID tokens allow to verify you are who you claim you are, whereas access tokens don't necessarily contain that information. |
|
Ping! Can you check #166 w.r.t. whether it helps with this use case, or can be extended to support it? |
|
I no longer work on the codebase that required this changeset, and so am not able to verify this. |
For google stuff these are relevant when trying to invoke e.g. Cloud
Run services. I'm not at all knowledgeable enough with OAuth to be able
to tell if what I'm doing here is correct.
This is a breaking change.
AccessTokengot renamed to justToken(since it now encompasses more than justaccess_tokenandthere are some changes to the
TokenInfotype too.Sponsored by: standard.ai