docs(auth): id token user guide #3762
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3762 +/- ##
=======================================
Coverage 96.19% 96.19%
=======================================
Files 153 153
Lines 5842 5842
=======================================
Hits 5620 5620
Misses 222 222 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
coryan
left a comment
coryan
left a comment
There was a problem hiding this comment.
This PR does not look ready, too many strange things.
alvarowolfx
left a comment
alvarowolfx
left a comment
There was a problem hiding this comment.
addressed review comments. Some extra files were due to some mismatch between mdformat running on my cloudtop and also mdbook not liking when you rename files and move things around.
coryan
left a comment
coryan
left a comment
There was a problem hiding this comment.
Blocking for now. The documentation is publish on each release, which would be bad for these changes because the features are not enabled by default. We should queue these changes until the features are enabled too.
alvarowolfx
added
the
do not merge
Splitting work on #3762 that can already be merged.
Splitting work on #3762 that can already be merged.
alvarowolfx
removed
the
do not merge
coryan
left a comment
coryan
left a comment
There was a problem hiding this comment.
A few suggestions for the text. I think we should put this guide into docs.cloud.google.com/rust right away, but maybe talk to the tech writer first in case they have suggestions about where to place it or any pre-requisites.
| ID tokens are particularly useful in scenarios where you need to authenticate to | ||
| a service that is not a Google Cloud API. For example, you can use ID tokens to |
There was a problem hiding this comment.
I cannot put my finger on it, but it seems like this paragraph should be closer to "ID tokens are used for service-to-service authentication."
| ID tokens are a standardized way to verify the identity of a principal in a | ||
| secure and portable manner. Unlike access tokens, which are used to authorize | ||
| access to Google Cloud APIs, ID tokens are used for service-to-service | ||
| authentication. The requesting service can generate an ID token and include it | ||
| in the `Authorization` header of a request to the receiving service. The | ||
| receiving service can then verify the token to authenticate the caller. | ||
|
|
||
| ID tokens are particularly useful in scenarios where you need to authenticate to | ||
| a service that is not a Google Cloud API. For example, you can use ID tokens to | ||
| securely authenticate requests if your target service is running on [Cloud Run] | ||
| or behind an [Identity-Aware Proxy]. See the [service-to-service authentication] | ||
| guide for more information. |
There was a problem hiding this comment.
Maybe this:
| ID tokens are a standardized way to verify the identity of a principal in a | |
| secure and portable manner. Unlike access tokens, which are used to authorize | |
| access to Google Cloud APIs, ID tokens are used for service-to-service | |
| authentication. The requesting service can generate an ID token and include it | |
| in the `Authorization` header of a request to the receiving service. The | |
| receiving service can then verify the token to authenticate the caller. | |
| ID tokens are particularly useful in scenarios where you need to authenticate to | |
| a service that is not a Google Cloud API. For example, you can use ID tokens to | |
| securely authenticate requests if your target service is running on [Cloud Run] | |
| or behind an [Identity-Aware Proxy]. See the [service-to-service authentication] | |
| guide for more information. | |
| ID tokens are a standardized way to verify the identity of a principal in a | |
| secure and portable manner. Unlike access tokens, which are used to authorize | |
| access to Google Cloud APIs, ID tokens are used for service-to-service | |
| authentication. For example, you can use ID tokens to securely authenticate | |
| requests if your target service is running on [Cloud Run] or behind an | |
| [Identity-Aware Proxy]. See the [service-to-service authentication] guide for | |
| more information. | |
| When using ID tokens, the requesting service _generates_ an ID token and | |
| includes it in the `Authorization` header of a request to the receiving service. The | |
| receiving service can then _verify_ the token to authenticate the caller. |
|
|
||
| ## Obtaining ID Tokens | ||
|
|
||
| An ID token contains claims about the identity of a principal, such as a service |
There was a problem hiding this comment.
I think this is the first time you talk about "claims", it would be useful to define it or link to a definition.
| An ID token contains claims about the identity of a principal, such as a service | |
| An ID token contains *claims* about the identity of a principal, such as a service |
| the token. This is typically the URL of the service that will verify the token's | ||
| signature and claims to authenticate the caller. For example, if you are calling | ||
| a Cloud Run service, the audience should be the URL of that service. |
There was a problem hiding this comment.
I am not sure what "claims to authenticate the caller" means. Maybe:
| the token. This is typically the URL of the service that will verify the token's | |
| signature and claims to authenticate the caller. For example, if you are calling | |
| a Cloud Run service, the audience should be the URL of that service. | |
| the token. This is typically the URL of the service that will verify the token's | |
| signature. For example, if you are calling | |
| a Cloud Run service, the audience should be the URL of that service. | |
| The audience may also include additional claims about the caller. These are | |
| not discussed in this introduction, see [blah blah] for more information. |
2 participants
Towards #3449