Support id_token for JWT path

[gfrankliu]

I tried to generate an id_token to test Google Cloud Run, but

oauth2l fetch --type=jwt  --audience="https://hello-my-cloud-run.a.run.app" --credentials=$HOME/Documents/my-service-account-private-key.json --output_format=json
{
  "access_token": ".......",
  "expiry": "2021-07-28T01:07:05.242408872-07:00",
  "token_type": "Bearer"
}

It only outputs the access_token, but no id_token.

I tried this token in curl against my cloud run url and got error:

< www-authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"

[andyrzhao]

Hi @gfrankliu, can you see if this is the same issue as #119? If so, it should have been fixed in release 1.2.1, and you could try again with the updated binary. Thanks!

[gfrankliu]

Yesterday I tried both prebuilt binary from https://storage.googleapis.com/oauth2l/latest/linux_amd64.tgz and built myself from the latest source (master). Same results.

[andyrzhao]

Discussed with @gfrankliu offline and came up with the following findings:

1. oauth2l currently only supports retrieving id_token for 3LO path (client id credentials) & openid scopes. The id_token that @gfrankliu is looking for is JWT based (using service account credentials) and supported by gcloud tool https://medium.com/google-cloud/easily-generate-google-signed-id-token-with-token-generator-d25b7e235f2e. This is a feature gap for oauth2l. We will use this issue to track this feature support.
2. There are some bugs with id_token caching that will be fixed by PR Bug fixes for JWT with scope and token extras #124