Re: [fpc-devel] Google APIs - Authenticate using a service account?
On Sun, 13 Mar 2022, Wayne Sherman via fpc-devel wrote: On Tue, Jun 30, 2020 at 12:47 AM Michael Van Canneyt wrote: The problem with the service account is that you must create a JWT Token. FPC does not yet have a unit that can generate *and sign* a JWT Token. I had a little time this weekend and started looking into this again. I was happy to discover these recent developments: *Some new hash and elliptic curve crypto files* https://gitlab.com/freepascal.org/fpc/source/-/tree/main/packages/fcl-hash/src *Commit which adds support for Java Web Token (JWT) signing* https://gitlab.com/freepascal.org/fpc/source/-/commit/47610d5c651a232a2061a44e2358b147ba65ff1c (fpjwt.pp has new TJWTKey record, TJWTSigner class, and new methods TJWT.Sign and TJWT.ValidateJWT) *Commit which adds ES256 JWT signing* https://gitlab.com/freepascal.org/fpc/source/-/commit/5afaeaa3ac813e5682d0da9de7d17454a4771d2c (ES256 signing can be used for Google API service accounts) Yes. I would still like to see if we can integrate the OAuth of the google API and the JWT signing more closely, possibly through some extra classes. Thank you Michael Van Canneyt. :-) You're welcome. We're slowly improving things. There is more to come, but I am doing a round-robin on the many areas I am active in, so it may be some weeks before I come back to this... :-) Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Google APIs - Authenticate using a service account?
On Mon, Mar 14, 2022 at 3:45 AM Michael Van Canneyt wrote: > Yes. I would still like to see if we can integrate the OAuth of the google > API and > the JWT signing more closely, possibly through some extra classes. The paint is still wet on the JWT signing code, so I figured there was some more integration to do. I started investigating the "googleapiconv" program, the googleapi examples, and generated API files (which are about 5-years old). I discovered some issues. I will send a report in another email. > There is more to come, but I am doing a round-robin on the many areas I am > actively working on > in, so it may be some weeks before I come back to this... :-) Understood. Thanks for your work. Wayne ___ fpc-devel maillist - fpc-devel@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Google APIs - Authenticate using a service account?
On Mon, May 10, 2021 at 7:08 PM Wayne Sherman wrote: > The Google API supports the following signing algorithms: > https://cloud.google.com/iot/docs/how-tos/credentials/jwts > >JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This > is expressed as RS256 in the alg field in the JWT header. >JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined > in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the > alg field in the JWT header. My statement above about ES256 does not appear to be correct. After looking over Google's API docs again, I discovered that JWTs signed using ES256 are only supported on a few of their services (?). (e.g. Cloud IoT Core, Identity-Aware Proxy, and Cloud Security Token) ES256 support was added to the google API python auth library here: https://github.com/googleapis/google-auth-library-python/pull/340 See also: https://github.com/googleapis/google-auth-library-python/search?q=es256 https://github.com/googleapis/google-api-dotnet-client/search?q=es256 But according to this page: *Computing the signature* https://developers.google.com/identity/protocols/oauth2/service-account#httprest "The signing algorithm in the JWT header must be used when computing the signature. The *only signing algorithm supported* by the Google OAuth 2.0 Authorization Server *is RSA using SHA-256 hashing* algorithm. This is expressed as RS256 in the alg field in the JWT header." ___ fpc-devel maillist - fpc-devel@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
