Programmatic access from a service account to a Google IAP protected resource denied with invalid signature error
I tried your code, and I found that it doesn't work with google.golang.org/api v0.23.0
, but it does work with google.golang.org/api v0.24.0
(latest one at the time of writing).
It is indeed a bug, the release notes mention the following:
When provided, use the TokenSource from options for NewTransport. This fixes a bug in idtoken.NewClient where the wrong TokenSource was being used for authentication.
Interestingly, 0.23.0 is sending a token signed with the service account's private key with the following claims:
{
"iss":"[email protected]",
"aud":"",
"exp":1589596554,
"iat":1589592954,
"sub":"[email protected]"
}
and 0.24.0 sends a token signed with google's private key. (internally the previous token is exchanged for a google-signed token)
{
"aud":"xxxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"azp":"[email protected]",
"email":"[email protected]",
"email_verified":true,
"exp":1589596508,
"iat":1589592908,
"iss":"https://accounts.google.com",
"sub":"11524xxxxxxxxxxxxxxxx"
}