Authenticating Google AppEngine service accounts

[bbassingthwaite]

Hi,

I am looking to use oauth2_proxy to secure services that are accessed from our App engine application. Each application is provided a service account that is used for any oauth calls that are made from the application. There are also API's provided to get the service account name and a token for a specified scope.

Here is a python script that if run on the appengine application would pass the assert call.

import json
from google.appengine.api import app_identity, urlfetch

access_token, _ = app_identity.get_access_token(['https://www.googleapis.com/auth/userinfo.email'])
json_data = json.loads(
    urlfetch.fetch(
        'https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token={}'.format(access_token)
    ).content
)

assert app_identity.get_service_account_name() == json_data['email']

I am wondering if there is a way today for us to pass the access token and the service account name and oauth2_proxy will validate with Google that the supplied service account is in the authenticated-emails-file?

Thanks!

[merland]

Hi. Did you ever solve this? I am trying to do almost the same thing. Would be really nice if ouath2_proxy could handle this.