You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
We are missing the email of the authorized party when we decode the identity token on Cloud Run in PHP.
At this moment the PHP implementation of the GCECredential class is missing the full payload param on the identity token metadata server request. This is already in place in other SDK's like the python SDK:
Describe the solution you'd like
My suggestion would be to add the param format=full for requests going to v1/instance/service-accounts/default/identity
The text was updated successfully, but these errors were encountered:
We can add format=full to the GCECredentials request to get the ID Token, but I am not sure how the extra payload would be used / consumed by our customers. Also, which claim specifically are you looking for?
We are missing the field "email" which holds the service account which generated the token. This allows us to identify which service is calling our cloud run app. The cloud-run app uses this service account email to apply in app permissions.
Is your feature request related to a problem? Please describe.
We are missing the email of the authorized party when we decode the identity token on Cloud Run in PHP.
At this moment the PHP implementation of the GCECredential class is missing the full payload param on the identity token metadata server request. This is already in place in other SDK's like the python SDK:
https://github.com/googleapis/google-auth-library-python/blob/9cd67425e95faab15e57b258a70506b02bccb799/google/auth/compute_engine/credentials.py#L391
Describe the solution you'd like
My suggestion would be to add the param
format=full
for requests going tov1/instance/service-accounts/default/identity
The text was updated successfully, but these errors were encountered: