Add custom GCP ID token generation logic that is compatible with AOT

Author: reakaleek

Directory.Packages.props

@@ -37,7 +37,6 @@
     <PackageVersion Include="DotNet.Glob" Version="3.1.3" />
     <PackageVersion Include="Errata" Version="0.14.0" />
     <PackageVersion Include="Github.Actions.Core" Version="9.0.0" />
-    <PackageVersion Include="Google.Apis.Auth" Version="1.68.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="9.0.4" />
     <PackageVersion Include="Markdig" Version="0.41.1" />
@@ -71,4 +70,4 @@
     </PackageVersion>
     <PackageVersion Include="xunit.v3" Version="2.0.2" />
   </ItemGroup>
-</Project>
+</Project>

src/Elastic.Documentation.Site/Assets/web-components/SearchOrAskAi/AskAiAnswer.tsx

@@ -136,7 +136,11 @@ export const AskAiAnswer = () => {
                     )}
                     {!error && isLoading && (
                         <>
-                            {messages.length > 0 && <EuiSpacer size="s" />}
+                            {messages.filter(
+                                (m) =>
+                                    m.type === 'ai_message' ||
+                                    m.type === 'ai_message_chunk'
+                            ).length > 0 && <EuiSpacer size="s" />}
                             <EuiFlexGroup
                                 alignItems="center"
                                 gutterSize="xs"

src/tooling/docs-builder/Http/DocumentationWebHost.cs

@@ -15,7 +15,6 @@
 using Elastic.Markdown.Exporters;
 using Elastic.Markdown.IO;
 using Elastic.Markdown.Myst.Renderers;
-using Google.Apis.Auth.OAuth2;
 using Markdig.Syntax;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
@@ -286,9 +285,6 @@ private static async Task<IResult> ProxyChatRequest(HttpContext context, Cancell
 				return Results.Empty;
 			}
 
-			var credential = GoogleCredential.FromFile(serviceAccountKeyPath)
-				.CreateScoped("https://www.googleapis.com/auth/cloud-platform");
-
 			// Get GCP function URL
 			var gcpFunctionUrl = Environment.GetEnvironmentVariable("GCP_CHAT_FUNCTION_URL");
 			if (string.IsNullOrEmpty(gcpFunctionUrl))
@@ -302,17 +298,8 @@ private static async Task<IResult> ProxyChatRequest(HttpContext context, Cancell
 			var functionUri = new Uri(gcpFunctionUrl);
 			var audienceUrl = $"{functionUri.Scheme}://{functionUri.Host}";
 
-			// Generate ID token for GCP Cloud Function authentication
-			if (credential.UnderlyingCredential is not IOidcTokenProvider oidcProvider)
-			{
-				context.Response.StatusCode = 500;
-				await context.Response.WriteAsync("GCP credential does not support ID tokens", cancellationToken: ctx);
-				return Results.Empty;
-			}
-
-			var oidcTokenOptions = OidcTokenOptions.FromTargetAudience(audienceUrl);
-			var oidcTokenSource = await oidcProvider.GetOidcTokenAsync(oidcTokenOptions, ctx);
-			var idToken = await oidcTokenSource.GetAccessTokenAsync(ctx);
+			// Generate ID token using AOT-compatible approach
+			var idToken = await GcpIdTokenGenerator.GenerateIdTokenAsync(serviceAccountKeyPath, audienceUrl, ctx);
 
 			// Make request to GCP function
 			using var httpClient = new HttpClient();

src/tooling/docs-builder/Http/GcpIdTokenGenerator.cs

@@ -0,0 +1,129 @@
+// Licensed to Elasticsearch B.V under one or more agreements.
+// Elasticsearch B.V licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information
+
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace Documentation.Builder.Http;
+
+internal readonly record struct ServiceAccountKey(
+	string Type,
+	string ProjectId,
+	string PrivateKeyId,
+	string PrivateKey,
+	string ClientEmail,
+	string ClientId,
+	string AuthUri,
+	string TokenUri,
+	string AuthProviderX509CertUrl,
+	string ClientX509CertUrl
+);
+
+internal readonly record struct JwtHeader(string Alg, string Typ, string Kid);
+
+internal readonly record struct JwtPayload(
+	string Iss,
+	string Sub,
+	string Aud,
+	long Iat,
+	long Exp,
+	string TargetAudience
+);
+
+[JsonSerializable(typeof(ServiceAccountKey))]
+[JsonSerializable(typeof(JwtPayload))]
+[JsonSourceGenerationOptions(PropertyNamingPolicy = JsonKnownNamingPolicy.SnakeCaseLower)]
+internal sealed partial class GcpJsonContext : JsonSerializerContext { }
+
+[JsonSerializable(typeof(JwtHeader))]
+[JsonSourceGenerationOptions(PropertyNamingPolicy = JsonKnownNamingPolicy.CamelCase)]
+internal sealed partial class JwtHeaderJsonContext : JsonSerializerContext { }
+
+// This is a custom implementation to create an ID token for GCP.
+// Because Google.Api.Auth.OAuth2 is not compatible with AOT
+public static class GcpIdTokenGenerator
+{
+
+	public static async Task<string> GenerateIdTokenAsync(string serviceAccountKeyPath, string targetAudience, CancellationToken cancellationToken = default)
+	{
+		// Read and parse service account key file using System.Text.Json source generation (AOT compatible)
+		var serviceAccountJson = await File.ReadAllTextAsync(serviceAccountKeyPath, cancellationToken);
+		var serviceAccount = JsonSerializer.Deserialize(serviceAccountJson, GcpJsonContext.Default.ServiceAccountKey);
+
+		// Create JWT header
+		var header = new JwtHeader("RS256", "JWT", serviceAccount.PrivateKeyId);
+		var headerJson = JsonSerializer.Serialize(header, JwtHeaderJsonContext.Default.JwtHeader);
+		var headerBase64 = Base64UrlEncode(Encoding.UTF8.GetBytes(headerJson));
+
+		// Create JWT payload
+		var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
+		var payload = new JwtPayload(
+			serviceAccount.ClientEmail,
+			serviceAccount.ClientEmail,
+			"https://oauth2.googleapis.com/token",
+			now,
+			now + 3600, // 1 hour expiration
+			targetAudience
+		);
+
+		var payloadJson = JsonSerializer.Serialize(payload, GcpJsonContext.Default.JwtPayload);
+		var payloadBase64 = Base64UrlEncode(Encoding.UTF8.GetBytes(payloadJson));
+
+		// Create signature
+		var message = $"{headerBase64}.{payloadBase64}";
+		var messageBytes = Encoding.UTF8.GetBytes(message);
+
+		// Parse the private key (removing PEM headers/footers and decoding)
+		var privateKeyPem = serviceAccount.PrivateKey
+			.Replace("-----BEGIN PRIVATE KEY-----", "")
+			.Replace("-----END PRIVATE KEY-----", "")
+			.Replace("\n", "")
+			.Replace("\r", "");
+		var privateKeyBytes = Convert.FromBase64String(privateKeyPem);
+
+		// Create RSA instance and sign
+		using var rsa = RSA.Create();
+		rsa.ImportPkcs8PrivateKey(privateKeyBytes, out _);
+		var signature = rsa.SignData(messageBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+		var signatureBase64 = Base64UrlEncode(signature);
+
+		var jwt = $"{message}.{signatureBase64}";
+
+		// Exchange JWT for ID token
+		return await ExchangeJwtForIdToken(jwt, targetAudience, cancellationToken);
+	}
+
+	private static async Task<string> ExchangeJwtForIdToken(string jwt, string targetAudience, CancellationToken cancellationToken)
+	{
+		using var httpClient = new HttpClient();
+
+		var requestContent = new FormUrlEncodedContent([
+			new KeyValuePair<string, string>("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"),
+			new KeyValuePair<string, string>("assertion", jwt),
+			new KeyValuePair<string, string>("target_audience", targetAudience)
+		]);
+
+		var response = await httpClient.PostAsync("https://oauth2.googleapis.com/token", requestContent, cancellationToken);
+		_ = response.EnsureSuccessStatusCode();
+
+		var responseJson = await response.Content.ReadAsStringAsync(cancellationToken);
+		using var document = JsonDocument.Parse(responseJson);
+
+		if (document.RootElement.TryGetProperty("id_token", out var idTokenElement))
+		{
+			return idTokenElement.GetString() ?? throw new InvalidOperationException("ID token is null");
+		}
+
+		throw new InvalidOperationException("No id_token found in response");
+	}
+
+	private static string Base64UrlEncode(byte[] input)
+	{
+		var base64 = Convert.ToBase64String(input);
+		// Convert base64 to base64url encoding
+		return base64.Replace('+', '-').Replace('/', '_').TrimEnd('=');
+	}
+}

src/tooling/docs-builder/docs-builder.csproj

@@ -21,7 +21,6 @@
   <ItemGroup>
     <PackageReference Include="ConsoleAppFramework.Abstractions" />
     <PackageReference Include="ConsoleAppFramework" />
-    <PackageReference Include="Google.Apis.Auth" />
     <PackageReference Include="Westwind.AspNetCore.LiveReload" />
     <PackageReference Include="System.IO.Abstractions.TestingHelpers" />
   </ItemGroup>