[fpc-devel] Google APIs - Authenticate using a service account?
Wayne Sherman
wsherman at gmail.com
Mon Mar 14 21:42:20 CET 2022
On Mon, May 10, 2021 at 7:08 PM Wayne Sherman wrote:
> The Google API supports the following signing algorithms:
> https://cloud.google.com/iot/docs/how-tos/credentials/jwts
>
> JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This
> is expressed as RS256 in the alg field in the JWT header.
> JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined
> in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the
> alg field in the JWT header.
My statement above about ES256 does not appear to be correct. After
looking over Google's API docs again, I discovered that JWTs signed
using ES256 are only supported on a few of their services (?). (e.g.
Cloud IoT Core, Identity-Aware Proxy, and Cloud Security Token)
ES256 support was added to the google API python auth library here:
https://github.com/googleapis/google-auth-library-python/pull/340
See also:
https://github.com/googleapis/google-auth-library-python/search?q=es256
https://github.com/googleapis/google-api-dotnet-client/search?q=es256
But according to this page:
*Computing the signature*
https://developers.google.com/identity/protocols/oauth2/service-account#httprest
"The signing algorithm in the JWT header must be used when computing the
signature. The *only signing algorithm supported* by the Google OAuth 2.0
Authorization Server *is RSA using SHA-256 hashing* algorithm. This is
expressed as RS256 in the alg field in the JWT header."
More information about the fpc-devel
mailing list