Look Ma, no keys! Signing JWTs with the Google Cloud API

Key Concepts

• JWT (JSON Web Token) signing
• Google Cloud API
• Service accounts
• Private key management
• IAM (Identity and Access Management)
• Google Wallet API
• Authentication methods
• Workload Identity Federation
• Short-lived tokens
• Security best practices

Google Wallet Livestream: "Look Ma, No Keys"

Introduction

The livestream focuses on signing JWTs (JSON Web Tokens) for Google Wallet passes using the Google Cloud API without downloading private keys, addressing security concerns associated with managing and distributing private keys. Edson Yanaga emphasizes the importance of minimizing privileges and avoiding private key usage.

The Problem: Private Key Management

• Downloading private keys to development and production environments poses a security risk.
• Accidental exposure of private keys on public repositories (e.g., GitHub) can lead to unauthorized access.
• Companies often have policies against using private keys due to these risks.

Solution: Signing JWTs with Google Cloud API

The livestream demonstrates how to sign JWTs using the Google Cloud API, eliminating the need to download and manage private keys.

Step-by-Step Process

1. Create a Service Account:
   • Navigate to the Service Accounts section in the Google Cloud Console.
   • Create a new service account (e.g., "lookmanokeys").
   • Crucially, do not generate or download any keys for this service account.
2. Authorize the Service Account for Google Wallet API:
   • Go to the Google Pay and Wallet Business Console.
   • Add the service account email as a user with "developer" privileges.
3. Grant Permissions to the Service Account:
   • Navigate to IAM (Identity and Access Management) in the Google Cloud Console.
   • Grant the "Service Account Token Creator" role to the service account. This role allows the service account to issue short-lived tokens for signing JWTs.
4. Authenticate the Application:
   • Authenticate the application (e.g., Java, Node.js, Go, Python) as the service account.
   • Multiple authentication methods are available (refer to cloud.google.com/docs/authentication).
   • Examples: G Cloud Console login (for development), Workload Identity (for production environments like Kubernetes or Google Cloud Run), Workload Identity Federation (for workloads running on other clouds like Amazon or Azure).
   • The presenter does not delve into the specifics of authentication, suggesting it as a topic for another livestream.
5. Sign the JWT using Google Cloud Client Libraries:
   • Add the com.google.cloud:google-cloud-iamcredentials dependency to the project (Java example, version 2.59.0 at the time of the livestream).
   • Use the IamCredentialsClient class from the Google Cloud client libraries to sign the JWT.
   • Create a JSONWebToken.Payload object with the necessary claims (issuer, audience, payload, etc.).
   • Create a SignJwtRequest object with the service account name and the JWT payload.
   • Call the signJwt method of the IamCredentialsClient to sign the JWT.
   • The signed JWT is returned in Base64 encoding.

Code Example (Java)

• The presenter demonstrates a Java project using the Google Cloud client libraries to sign JWTs.
• The code replaces the use of Auth0 libraries and private keys with the IamCredentialsClient.
• The sign method uses the IamCredentialsClient to sign the JWT using the Google Cloud API.
• The signed JWT is then used in an "Add to Google Wallet" link.

Demo

• The presenter demonstrates the process by creating a gift card pass using the Google Wallet Developer Tool.
• The signed JWT is used to generate an "Add to Google Wallet" link.
• Clicking the link successfully adds the gift card to the Google Wallet.
• The presenter verifies the signed JWT using jwt.io, showing the header, payload, and signature.

Important Considerations

• JWT Expiration: JWTs signed using the Google Cloud API are only valid for seven days (168 hours).
• Best Practices: Issue signed JWTs only when the user is ready to click the "Add to Google Wallet" link. Generate a new link with a fresh signature if the user requests the pass again.
• Security: Google Cloud manages the keys used to sign the JWTs, eliminating the need for organizations to manage private keys.

Q&A

• Cross-Platform SSO: The presenter recommends using Identity Federation for cross-cloud authentication instead of Single Sign-On (SSO) to avoid duplicating credentials and manage permissions more effectively.
• TypeScript Library: The presenter is unsure about a specific TypeScript library but suggests exploring JavaScript libraries and potential compatibility.
• Production Environment Best Practices: The presenter suggests attaching a role to the workload running on Kubernetes or Google Cloud Run and using Workload Identity Federation. He emphasizes consulting with a security expert for specific security advice.
• Google Cloud vs. AWS/Azure: The presenter avoids direct comparisons but encourages users to learn about all options and decide based on their specific needs.
• JWT Signing Differences: The main benefit of using the Google Cloud API is eliminating the need to manage private keys, reducing security risks and management overhead.

Conclusion

The livestream provides a practical demonstration of signing JWTs for Google Wallet passes using the Google Cloud API without private keys. This approach enhances security by eliminating the risks associated with managing and distributing private keys. The presenter emphasizes the importance of understanding the limitations (e.g., JWT expiration) and best practices for using this method in production environments. The key takeaway is that leveraging the Google Cloud API for JWT signing offers a more secure and manageable alternative to traditional private key-based signing.