Allows TokenVendor to read SA from JWT.SUB #539
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changes implementation of token vendor OAuth2 endpoit to read custom service account information from JWT.SUB instead from request body. Callers cannot easily add extra information to JWT Token request body as common libraries do not allow to alter the resulting request from outside before it is sent to the server. This change ensures that callers can specify service account in a JWT Claim SUBJECT field which is then considered by TokenVendor when issuing a new token. This field was previously unused by TV and feels very natural to be provided without need for custom claims to be introduced. The device ID information is passed in ISS field of the JWT Request. RobotAuth implementatiuon provides two code paths for generating JWT tokens for robot. One is used to exclusively communicate with TokenVendor, this one is not modified. The second path is used for obtaining GCP tokens. This path allows setting custom SA in subject claim.
|
@rastislav-vcrs is it intentional that we've been added while it's in draft status? not clear if I should review / take a high-level glance / wait for status change. |
ensonic
reviewed
Jun 2, 2025
ensonic
reviewed
Jun 2, 2025
There was a problem hiding this comment.
Please also update the README
https://github.com/googlecloudrobotics/core/blob/main/src/go/cmd/token-vendor/README.md
@drigz It is intentional, so you can take a look and tell me if I overlooked something before we go through the formal approval. So take a high-level look if that direction makes sense from your perspective or not. Thank you. |
ensonic
reviewed
Jun 3, 2025
Ongy
approved these changes
Jun 3, 2025
ensonic
added a commit
that referenced
this pull request
Jun 17, 2025
This reverts commit 4d0c8f3, https://cloudlogging.app.goo.gl/M1JMPrN1rMJf37Y68 See https://cloudlogging.app.goo.gl/4rL1Y3WxtwGJLmiT9 ``` Error: "service account "dev-ensonic1-c-googlers-com" not allowed" message: "unable to retrieve cloud access token with given JWT" ``` Rollback tested on robco-ensonic: 
rastislav-vcrs
added a commit
that referenced
this pull request
Jun 18, 2025
rastislav-vcrs
added a commit
that referenced
this pull request
Jun 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes implementation of token vendor OAuth2 endpoit to read custom service account information from JWT.SUB instead from request body.
Callers cannot easily add extra information to JWT Token request body as common libraries do not allow to alter the resulting request from outside before it is sent to the server. This change ensures that callers can specify service account in a JWT Claim SUBJECT field which is then considered by TokenVendor when issuing a new token. This field was previously unused by TV and feels very natural to be provided without need for custom claims to be introduced. The device ID information is passed in ISS field of the JWT Request.
RobotAuth implementation provides two code paths for generating JWT tokens for robot. One is used to exclusively communicate with TokenVendor, this one is not modified. The second path is used for obtaining GCP tokens. This path allows setting custom SA in subject claim.