Solved: Re: Need to decrypt access token to set in env var...

Shrimoyee · 11-15-2022 11:49 PM

Hello,

we are using get-gcp-access-token node module for generating access token which is working fine but the output is encoded. How do we decode it? Since we need to set the value to an env variable before using it in subsequent deployment call.

dchiesa1

I think you are referring to a GCP access token. A typical GCP access token looks something like this :

ya29.a0AeTM1ieNdl027moRL6_...many more characters...es4e7

To answer your question, as far as I know, Google does not document how to decode or "decrypt", as you say, that token. It's an opaque token. From your perspective, it's just a string of random characters. Only Google systems know what to do with that token, how to validate it, what permissions are granted with it, when it expires, and so on.

Since we need to set the value to an env variable before using it in subsequent deployment call.

You can certainly set that token into a context variable, then inject it into a header or other parameter for an outbound call, or use it in some other way within the API Proxy. The thing you cannot do is "crack it open". From your perspective, it's just a string.

View solution in original post

dchiesa1

I think you are referring to a GCP access token. A typical GCP access token looks something like this :

ya29.a0AeTM1ieNdl027moRL6_...many more characters...es4e7

To answer your question, as far as I know, Google does not document how to decode or "decrypt", as you say, that token. It's an opaque token. From your perspective, it's just a string of random characters. Only Google systems know what to do with that token, how to validate it, what permissions are granted with it, when it expires, and so on.

Since we need to set the value to an env variable before using it in subsequent deployment call.

You can certainly set that token into a context variable, then inject it into a header or other parameter for an outbound call, or use it in some other way within the API Proxy. The thing you cannot do is "crack it open". From your perspective, it's just a string.

Shrimoyee

Thankyou for the help! We created a function within the main function which takes the token and set it in auth header for deployment. This is working fine.

murderuo

Firstly you need to create client OAuth2Client function from google-auth-library lib. Then you can use getTokenInfo func. to acces token information.

i add sample code below to Node.js;

const {OAuth2Client} = require('google-auth-library');

const client = new OAuth2Client(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI);

const tokenInfo = await client.getTokenInfo(token);

///getTokenInfo return to you this sample object;

{
expiry_date: 1743060454077,
scopes: [ 'https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile', 'openid' ],
azp: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com',
aud: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com',
sub: '46598743143164498',
exp: '1743060455',
email: 'XXXXXXXXX@gmail.com',
email_verified: 'true',
access_type: 'online'
}

Need to decrypt access token to set in env variable before deploying proxy