[fpc-devel] Google APIs - Authenticate using a service account?

Michael Van Canneyt michael at freepascal.org
Wed Mar 16 11:16:13 CET 2022

On Mon, 14 Mar 2022, Wayne Sherman via fpc-devel wrote:

> On Mon, May 10, 2021 at 7:08 PM Wayne Sherman wrote:
>> The Google API supports the following signing algorithms:
>> https://cloud.google.com/iot/docs/how-tos/credentials/jwts
>>    JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This
>> is expressed as RS256 in the alg field in the JWT header.
>>    JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined
>> in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the
>> alg field in the JWT header.
> My statement above about ES256 does not appear to be correct.  After
> looking over Google's API docs again, I discovered that JWTs signed
> using ES256 are only supported on a few of their services (?).  (e.g.
> Cloud IoT Core, Identity-Aware Proxy, and Cloud Security Token)
> ES256 support was added to the google API python auth library here:
>     https://github.com/googleapis/google-auth-library-python/pull/340
>     See also:
>     https://github.com/googleapis/google-auth-library-python/search?q=es256
>     https://github.com/googleapis/google-api-dotnet-client/search?q=es256
> But according to this page:
>     *Computing the signature*
>     https://developers.google.com/identity/protocols/oauth2/service-account#httprest
>     "The signing algorithm in the JWT header must be used when computing the
>     signature. The *only signing algorithm supported* by the Google OAuth 2.0
>     Authorization Server *is RSA using SHA-256 hashing* algorithm. This is
>     expressed as RS256 in the alg field in the JWT header."

RS256 is on my todo list, I have 3 implementations that I can use, but I still
need to find time to actually choose and integrate it.


More information about the fpc-devel mailing list