Assigned
Status Update
No update yet.
Comments
jo...@google.com
Hello,
Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.
Description
The customer is using Custom Token authentication for Identity Platform users in a multi-tenancy setup, and would like to have more granular control, via the API key, over how Google Cloud users and service accounts can interact with tenants as separate entities.
Issue:
When a Service Account is given permission to generate tokens for a *specific* tenant, the Service Account is then able to generate tokens for *every* tenant in the Project, as well as all Project users. GCP does not provide the ability to restrict a Service Account on a per-tenant basis on either the IAM- or API-level.
The Service Account makes a call on the SignInWithCustomToken API using a “tenant_id” to create tenant tokens. This API endpoint is a public endpoint, meaning that it only requires the authentication via JSON Web Token of the Google Cloud Project, but not the IAM token. This causes all tenants to be under one “tenant_id”, and not under multiple, separate “tenant_id”s.
There are currently no workarounds.
Intended Outcome, if implemented:
1. Provide SA Private Keys to a user to generate ID tokens for only their tenants in Identity Platform
2. Tokens authenticate across Microservices
3. The Private Key is given to the user for their tenant(s)
4. The user should be able to generate ID tokens *only* for their tenant(s) after passing through SignInWithCustomToken API with API key