Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT doesn't use the expected value for Issuer (e.g. "iss") #393

Open
burkematthew opened this issue Aug 28, 2022 · 0 comments
Open

JWT doesn't use the expected value for Issuer (e.g. "iss") #393

burkematthew opened this issue Aug 28, 2022 · 0 comments

Comments

@burkematthew
Copy link

I am building a Ruby service that connects to a Google Cloud Endpoint using a Service Account. When passing the JWT generated so far, I'm getting an invalid token error, so I've been troubleshooting where I'm going wrong and am currently concluding it's due to the mismatched iss value of my token.

To build the JWT for access, I am passing a JSON keyfile to Google::Auth::ServiceAccountCredentials.make_creds, following the instructions set forth in the README.

Example:

  def authorizer
    @authorizer ||= Google::Auth::ServiceAccountCredentials.make_creds(
      json_key_io: File.open(keyfile),
      scope: scope,
      enable_self_signed_jwt: true
    )
  end

where keyfile is defined as

  def keyfile
    ENV.fetch("GOOGLE_CLOUD_KEYFILE")
  end

and scope is defined as

  def scope
    ENV.fetch("GOOGLE_ENDPOINT_SCOPE")
  end

I verify the value of @issuer of my authorizer is the service account email address. However, when the JWT is encoded and returned to me via fetch_access_token!, I test the contents of my token using jwt.io, but the iss value is showing up as https://accounts.google.com instead of my expected service account email address.

My question is: why isn't iss set to the value of @issuer and how do I get this set to my service account email address?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant