I'm making a server-to-server authentication using a service account from Google Cloud Platform. According to Google's documentation, the request token (JWT) must be based on RSA SHA-256 algoritm, therefore signed with a RSA certificated private key and decoded with its respective public key.
How do i let google api know the public key?
I'm aware that Google has its own RSA certificates but i don't know how to use them exactly.
So, what RSA private/public key should i use for google's oauth2 token codification?
Here's an extract of the code:
import jwt from 'jsonwebtoken'
const axios = require('axios')
const fs = require('fs')
const {
google
} = require('googleapis')
// oauth2 token uri
const GSUITE_AUD = 'https://oauth2.googleapis.com/token'
const payload = {
iss: '[email protected]',
scope: 'https://www.googleapis.com/auth/admin.directory.user',
aud: GSUITE_AUD,
}
const options = {
algorithm: 'RS256',
expiresIn: '10m'
}
const fetchGSuiteUsersUtil = () => {
let path = require('path'),
privateKeyFilePath = path.join(__dirname, 'private.key')
const privateKey = fs.readFileSync(privateKeyFilePath, 'utf-8')
const request_token = jwt.sign(payload, privateKey, options)
authorize(request_token, listUsers)
function authorize(request_token, callback) {
const TOKEN_URI = GSUITE_AUD
const data = {
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: request_token
}
axios.post(TOKEN_URI, data)
.then((res) => {
console.log(`statusCode: ${res.statusCode}`)
console.log(res)
// callback(res)
})
.catch((error) => {
/**
* Here i get the error 'Invalid JWT signature' and sounds logic
* since it doesn't know the public key for the RSA certificated
* private key that i used
*
*/
console.error(error)
})
}
function listUsers(auth) {
const service = google.admin({
version: 'directory_v1',
auth,
})
service.users.list({
customer: 'my_customer',
orderBy: 'email',
maxResults: 500,
query: 'orgUnitPath=/'
},
async(err, res) => {
// Do things once i get the token..
})
}
}
export default fetchGSuiteUsersUtilYou are misunderstanding Google Cloud Service Accounts and G Suite Domain Wide Delegation.
How do i let google api know the public key?
You don't. Google already knows the public key from the private key that Google gave you as part of the service account JSON file. You need to create a service account in the Google Cloud Console and then download the key material as a JSON file. You cannot create your own private key.
In addition, there are several steps that you must follow since you are trying to use the Admin API. Read the documentation at the following link:
Perform G Suite Domain-Wide Delegation of Authority
I wrote this article which explains the process of using a service account private key, creating a Signed JWT and exchanging for an OAuth Access Token.
Google Cloud – Creating OAuth Access Tokens for REST API Calls
One additional point. In your code, you are specifying an audience. If you specify an audience for your tokens you will not get an OAuth Access Token. You will get an OIDC Identity Token which is used for Identity Based Authorization. An example is using an Identity Token with Google Cloud IAP (Identity Aware Proxy).