This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to set the "--audiences" option in the "gcloud auth print-identity-token" command?

Posted on 11-07-2022 03:17 AM
davidshen84
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,

I want to use the "gcloud auth print-identity-token" to generate an identity token and use it to access an AppEngine app that IAP protects.

I learned from some StackOverflow posts that the "audiences" value should look like "123-abc.apps.googleusercontent.com". However, I could not find any document related to this.

If I give an incorrect "audiences" value, I will get an error message saying it does not match the expected value, and the "expected value" matches the above format.

Thanks

Solved Solved
0 3 8,635
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
sarahjessica
Staff
In response to davidshen84
Reply posted on --/--/---- --:-- AM

Hi @davidshen84 ,

Thank you for the response.

According to this documentation,

Google APIs use the OAuth 2.0 protocol for authentication and authorization. If you obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.

Then I found these two documentations google.oauth2.id_token module and ID Token that `audiences` must contain the OAuth 2.0 client_id of your application as an audience value.

You can also check out this service account credentials REST API.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
sarahjessica
Staff
Reply posted on --/--/---- --:-- AM

gcloud auth print-identity-token prints the identity token for the current account. And if you need to use a flag `--audiences` for the token, replace with the application or service that the token will be used to access, for example `http://www.example.com`.

There are a few ways to get an ID token:

  • Get an ID token from the metadata server.
  • Use a connecting service to generate an ID token.
  • Generate an ID token by impersonating a service account.

It is not recommended by Google Cloud to generate a valid id_token with a user credential.

You can check below links for your reference.

Service Account Credentials API

Create and manage service account keys

id_token generation

Stackoverflow post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
davidshen84
Bronze 2
Bronze 2
In response to sarahjessica
Reply posted on --/--/---- --:-- AM

No, the `audiences` value is the `oauth2ClientId` value of the project. You can get it with `gcloud app describe`. 

My question is, where is it defined in the API document? I only happen to find it out from the error message.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sarahjessica
Staff
In response to davidshen84
Reply posted on --/--/---- --:-- AM

Hi @davidshen84 ,

Thank you for the response.

According to this documentation,

Google APIs use the OAuth 2.0 protocol for authentication and authorization. If you obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.

Then I found these two documentations google.oauth2.id_token module and ID Token that `audiences` must contain the OAuth 2.0 client_id of your application as an audience value.

You can also check out this service account credentials REST API.

Jump to Solution
0 Likes
Top Solution Authors
View all