On Mon, 14 Mar 2022, Wayne Sherman via fpc-devel wrote:
On Mon, May 10, 2021 at 7:08 PM Wayne Sherman wrote:
The Google API supports the following signing algorithms:
https://cloud.google.com/iot/docs/how-tos/credentials/jwts
JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This
is expressed as RS256 in the alg field in the JWT header.
JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined
in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the
alg field in the JWT header.
My statement above about ES256 does not appear to be correct. After
looking over Google's API docs again, I discovered that JWTs signed
using ES256 are only supported on a few of their services (?). (e.g.
Cloud IoT Core, Identity-Aware Proxy, and Cloud Security Token)
ES256 support was added to the google API python auth library here:
https://github.com/googleapis/google-auth-library-python/pull/340
See also:
https://github.com/googleapis/google-auth-library-python/search?q=es256
https://github.com/googleapis/google-api-dotnet-client/search?q=es256
But according to this page:
*Computing the signature*
https://developers.google.com/identity/protocols/oauth2/service-account#httprest
"The signing algorithm in the JWT header must be used when computing the
signature. The *only signing algorithm supported* by the Google OAuth 2.0
Authorization Server *is RSA using SHA-256 hashing* algorithm. This is
expressed as RS256 in the alg field in the JWT header."
RS256 is on my todo list, I have 3 implementations that I can use, but I still
need to find time to actually choose and integrate it.
Michael.
_______________________________________________
fpc-devel maillist - fpc-devel@lists.freepascal.org
https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
