[fpc-devel] Google APIs - Authenticate using a service account?
Michael Van Canneyt
michael at freepascal.org
Wed Mar 16 11:16:13 CET 2022
On Mon, 14 Mar 2022, Wayne Sherman via fpc-devel wrote:
> On Mon, May 10, 2021 at 7:08 PM Wayne Sherman wrote:
>> The Google API supports the following signing algorithms:
>> https://cloud.google.com/iot/docs/how-tos/credentials/jwts
>>
>> JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This
>> is expressed as RS256 in the alg field in the JWT header.
>> JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined
>> in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the
>> alg field in the JWT header.
>
> My statement above about ES256 does not appear to be correct. After
> looking over Google's API docs again, I discovered that JWTs signed
> using ES256 are only supported on a few of their services (?). (e.g.
> Cloud IoT Core, Identity-Aware Proxy, and Cloud Security Token)
>
> ES256 support was added to the google API python auth library here:
> https://github.com/googleapis/google-auth-library-python/pull/340
>
> See also:
> https://github.com/googleapis/google-auth-library-python/search?q=es256
> https://github.com/googleapis/google-api-dotnet-client/search?q=es256
>
> But according to this page:
>
> *Computing the signature*
> https://developers.google.com/identity/protocols/oauth2/service-account#httprest
>
> "The signing algorithm in the JWT header must be used when computing the
> signature. The *only signing algorithm supported* by the Google OAuth 2.0
> Authorization Server *is RSA using SHA-256 hashing* algorithm. This is
> expressed as RS256 in the alg field in the JWT header."
RS256 is on my todo list, I have 3 implementations that I can use, but I still
need to find time to actually choose and integrate it.
Michael.
More information about the fpc-devel
mailing list