[fpc-devel] Google APIs - Authenticate using a service account?

Wayne Sherman wsherman at gmail.com
Tue May 11 04:08:06 CEST 2021


On Tue, Jun 30, 2020 at 12:47 AM Michael Van Canneyt
<michael at freepascal.org> wrote:
>
> The problem with the service account is that you must create a JWT Token.
> FPC does not yet have a unit that can generate *and sign* a JWT Token.
>
> The good news is I have this weekend a reminder that I received some code
> that will allow me to complete the JWT Token support in FPC using at
> least the RSA256 signing algorithm (and some others as well).

Hi Michael.  I would like to assist with this if possible.

According to rfc7519:
https://datatracker.ietf.org/doc/html/rfc7519#section-8

The *required* JWT Signature and MAC algorithms are:
   HS256 (HMAC SHA-256)
   none

The *recommended* JWT Signature and MAC algorithms are:
   RS256 (RSASSA-PKCS1-v1_5 with the SHA-256 hash)
   ES256 (ECDSA using the P-256 curve and the SHA-256 hash)

The Google API supports the following signing algorithms:
https://cloud.google.com/iot/docs/how-tos/credentials/jwts

   JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This
is expressed as RS256 in the alg field in the JWT header.
   JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined
in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the
alg field in the JWT header.

So for google api, we need at least RS256 (RSASSA-PKCS1-v1_5 using SHA-256).

Adding signing directly to fpjwt.pp would be the cleanest, but you
need to add native crypto code to fpc for that.
https://svn.freepascal.org/svn/fpc/trunk/packages/fcl-web/src/base/fpjwt.pp

There are libraries that have it:
https://github.com/fundamentalslib/fundamentals5
https://github.com/Xor-el/CryptoLib4Pascal

Adding JWT signing to google API units could be done with OpenSSL and
it is already a dependency.
OpenSSL can sign and verify a JWT using both RS256 and ES256. Examples:
https://stackoverflow.com/questions/58313106/create-rs256-jwt-in-bash
https://stackoverflow.com/questions/40559765/how-to-verify-json-web-tokens-with-openssl
https://learn.akamai.com/en-us/webhelp/iot/jwt-access-control/GUID-054028C7-1BF8-41A5-BD2E-A3E00F6CA550.html

What do you think?


More information about the fpc-devel mailing list