Search code examples
google-app-enginegoogle-cloud-platformoauth-2.0google-cloud-functionsgoogle-oauth

GCP Server to Server Authentication with Service Account

I'm trying to authenticate a request from my Google Cloud Function to my API on App Engine (Standard environment).

I have something working, but I'm new to OAuth2 and am looking for a sanity check.

In my Cloud Function, I send an authenticated request to my API doing the following:

import { GoogleAuth } from 'google-auth-library';

// Send Request Code:
const auth = new GoogleAuth();
const tokenClient = await auth.getIdTokenClient(`/protectedEndpoint`);
await tokenClient.request({
    url: `https://${process.env.GCLOUD_PROJECT}.appspot.com/protectedEndpoint`,
    method: 'POST',
});

In the API (on App Engine), I do the following:

import { GoogleAuth } from 'google-auth-library';

// Handle Request Code:
const token = <Bearer token parsed from request headers>
const googleAuth = new GoogleAuth();
const tokenClient = await googleAuth.getIdTokenClient('');
const loginTicket = await tokenClient.verifyIdToken({
    idToken: token,
    audience: '/protectedEndpoint',
});

if (loginTicket.getUserId() !== process.env.SERVICE_ACCOUNT_ID)) {
    throw new Error('Unauthenticated Service Account');
}

return 'Successful Authentication'

Note: In both cases, I'm using Google's default application credentials to initialize the GoogleAuth client. (my Default App Engine service account)

This all works. My function sends a request to my API, and my API is able to parse the bearer token and tell me that it came from my approved service account... but I'm not 100% confident that this is actually secure. Is it possible for someone to spoof my service account without having its credentials?

Thanks in advance!

Solution

  • Is it possible for someone to spoof my service account without having its credentials?

    A precise answer requires the specification of time. Given enough time and processing power, any authentication/authorization/encryption/hashing/signing method can be broken.

    A Google service account contains an RSA 2048-bit private key. Current guesstimates are 300 trillion years to break RSA 2048 bit encryption. With the rapid advances in computers, let's assume your data will probably not be of any use/value by the time RSA is broken.

    The private key is used to sign a JWT. The Signed JWT is used to request OAuth Access/Identity Tokens.

    Spoofing would require signing with the same private key. Therefore, spoofing is not possible with today's technology.

    Stealing/leaking the private key or the generated OAuth tokens is the only realistic method today.