Skip to content

fix(idtoken): avoid double impersonation in tokenSourceFromBytes #3576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
quartzmo merged 5 commits into from
Apr 28, 2026
+49 −1
Merged

fix(idtoken): avoid double impersonation in tokenSourceFromBytes #3576

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c820d42
fix(idtoken): avoid double impersonation in tokenSourceFromBytes
quartzmo Apr 22, 2026
1f6c3b7
Merge branch 'main' into auth-id-token-bugs
quartzmo Apr 23, 2026
2db8490
Merge branch 'main' into auth-id-token-bugs
quartzmo Apr 24, 2026
f5e1010
Merge branch 'main' into auth-id-token-bugs
hongalex Apr 27, 2026
12b2e75
Merge branch 'main' into auth-id-token-bugs
quartzmo Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion idtoken/idtoken.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,19 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
TargetPrincipal: account,
IncludeEmail: true,
}
ts, err := impersonate.IDTokenSource(ctx, config, option.WithAuthCredentialsJSON(credType, data))

baseData, err := baseDataForImpersonation(credType, data)
if err != nil {
return nil, err
}

var opts []option.ClientOption
opts = append(opts, option.WithCredentialsJSON(baseData))
if ds.HTTPClient != nil {
opts = append(opts, option.WithHTTPClient(ds.HTTPClient))
}

ts, err := impersonate.IDTokenSource(ctx, config, opts...)
if err != nil {
return nil, err
}
Expand All @@ -241,6 +253,42 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
}
}

// baseDataForImpersonation extracts or recreates non-impersonated credentials
// from the provided JSON data to avoid double impersonation. The problem is
// that passing the entire credential JSON causes the lower layers to
// automatically build an authenticated HTTP client that is already impersonated.
// To fix this, we extract the non-impersonated source credentials or remove the
// impersonation instructions before creating the client. This avoids leaky
// abstractions and respects the separation of concerns by letting the lower
// layers act as general loaders while handling the specific needs of idtoken
// generation here.
func baseDataForImpersonation(credType credentialstype.CredType, data []byte) ([]byte, error) {
var baseData []byte
if credType == ImpersonatedServiceAccount {
type source struct {
SourceCredentials json.RawMessage `json:"source_credentials"`
}
var s source
if err := json.Unmarshal(data, &s); err != nil {
return nil, err
}
baseData = s.SourceCredentials
} else {
// For ExternalAccount, we remove the service_account_impersonation_url
var m map[string]interface{}
if err := json.Unmarshal(data, &m); err != nil {
return nil, err
}
delete(m, "service_account_impersonation_url")
var err error
baseData, err = json.Marshal(m)
if err != nil {
return nil, err
}
}
return baseData, nil
}

// WithCustomClaims optionally specifies custom private claims for an ID token.
func WithCustomClaims(customClaims map[string]interface{}) ClientOption {
return withCustomClaims(customClaims)
Expand Down
Loading