Support for Vending GCP Tokens via Workload Identity Federation Directly from ServiceAuthCentral #34
Description
This feature would provide the ability for ServiceAuthCentral to vend GCP tokens directly through Workload Identity Federation (WFI). The goal is to enable clients to obtain GCP tokens in a single API request, simplifying the interaction by removing the need for multiple API calls.
Token Types:
The API should support the following token types from GCP:
- Access Token for WFI: Provides an access token directly from GCP’s workload identity federation.
- Access Token for GCP Service Account Impersonation: Requires specifying the service account to impersonate, granting access as that service account.
- Identity Token for a GCP Service Account: Requires specifying both the service account email and audience for the identity token, allowing authentication with GCP services.
Requirements:
- Single API call supporting either client credentials or JWT bearer that will return not the JWT for ServiceAuthCentral, rather the GCP token directly
- Multiple WFI Support: The audience for each WFI request should be configurable, and clients must be set up to work with Workload Federation Identity.
Open Questions:
- Determining whether this functionality should be part of the existing token endpoint or implemented as a separate API (or multiple APIs) is still under consideration.
- Identify any relevant RFCs or standards that should be adhered to avoiding inventing too much proprietary technology here