Add AIPs describing workload credentials and mTLS token binding flows (#945)

Author: cesarghali

aip/auth/4110.md

@@ -88,8 +88,8 @@ For example, the `GOOGLE_APPLICATION_CREDENTIALS` environment variable can provi
 the default credential JSON as the input here, or the well-known path that
 gCloud uses to store the default user credential JSON. The output is the access
 token that application can use to access the Google APIs. This access token
-__may__ be a bearer token or a certificate bound token depending on the
-chosen authentication flow.
+__may__ be a bearer token, a certificate-bound token, or an identity-bound token
+depending on the chosen authentication flow.
 
 ## Expected Behavior
 
@@ -104,7 +104,7 @@ digraph d_front_back {
 
   check_env_var [ label="1. Check Environment Variables" ];
   load_credentials [ label="2. Load Credentials" ];
-  check_metadata [ label="3. Check Virtual Machine Credentials" ];
+  check_metadata [ label="3. Check workload credentials" ];
   auth_flows [ label="4. Determine Auth Flows" ];
   execute [ label="5. Execute Auth Flows" ];
 
@@ -127,10 +127,17 @@ digraph d_front_back {
     1. If the credential is [an external account][8] JSON, go to step (4)
     1. If the credential is unknown type, return an error saying that _[END]_
   1. Credentials not found _[END]_
-1. **Check Google Virtual Machine Credentials**
-  1. If true, use the [virtual machine flow][3] to fetch an auth token associated with the current environment
-    1. If target audience is provided by the developer, get an [identity token][7] _[END]_
-    1. Otherwise, get an access token _[END]_
+1. **Check workload credentials (on GCE, GKE, GAE and Serverless)**
+  1. If true,
+    1. If identity binding is enabled, by meeting the requirements in
+       [mTLS Token Binding][9], use the mTLS Token Binding flow to fetch an
+       identity-bound access token _[END]_
+    1. If there is an issue when obtaining bound access tokens, return an error
+       indicating that _[END]_
+    1. If identity binding is not enabled, use the [virtual machine flow][3] to
+       fetch an auth token associated with the current environment
+      1. If target audience is provided by the developer, get an [identity token][7] _[END]_
+      1. Otherwise, get an access token _[END]_
   1. If false, go to step (2.3)
 1. **Determine auth flows**
   1. If the credential is gcloud credential go to step (5.3)
@@ -166,4 +173,5 @@ digraph d_front_back {
 [6]: ./4112
 [7]: ./4116
 [8]: ./4117
+[9]: ./4119
 <!-- prettier-ignore-end -->

aip/auth/4118.md

@@ -0,0 +1,153 @@
+---
+id: 4118
+scope: auth
+state: draft
+created: 2022-09-09
+---
+
+# Mutual Authentication Using Workload Credentials
+
+Mutual TLS (a.k.a mTLS) authentication enables authentication of both client and
+server identities in a TLS handshake. With workload credentials, applications
+running in Google Cloud can authenticate to Google APIs using [X.509 SPIFFE
+Verifiable Identity Documents][0] (SVIDs). These SVIDs are X.509 certificates
+that contain [SPIFFE IDs][1] specifying the identity of the certificate owners.
+mTLS authentication using X.509 SVIDs occurs when the client uses an X.509 SVID
+when performing the TLS handshake.
+
+**Note:** Because this AIP describes guidance and requirements in a
+language-neutral way, it uses generic terminology which may be imprecise or
+inappropriate in certain languages or environments.
+
+## Guidance
+
+If users enable token binding, they **should** do so via [ADC][2]. This section
+describes the general guidance of supporting such authentication.
+
+### Provisioning Workload Credentials in Google Cloud
+
+On Google Cloud, workload credentials should be provisioned using one of the
+following methods:
+
+  - [Set up service security with Envoy][3].
+  - [Set up service security with proxyless gRPC][4].
+
+In order for workload credentials to be properly used, the auth libraries
+**must** support the automatic switching of the service endpoint to its mTLS
+counterpart.
+
+### Using Workload Credentials
+
+Users **should** configure [ADC][2] to use workload credentials via the
+certificate configuration gcloud metadata file. Workload credentials can be
+added as a **"cert_configs"** type as follows:
+
+```json
+{
+  “version”: 1
+  "cert_configs": {
+    "workload": {
+      "cert_path": "path/to/cert/file"
+      "key_path": "path/to/key/file"
+      “workload_identity_provider”: “...”
+      "authenticate_as_identity_type": "gsa/native"
+      “service_account_email”: “...”
+    },
+    "keychain": {
+      ...
+    },
+    "pkcs11": {
+      ...
+    },
+    "windows": {
+      ...
+    },
+  },
+  "libs": {
+   ...
+  }
+}
+```
+
+For Linux and macOS platforms, the above metadata file is located in the
+well-known gcloud config directory at
+**"~/.config/gcloud/certificate_config.json"**. Note that the default location
+of this file can be changed using the `GOOGLE_API_CERTIFICATE_CONFIG`
+environment variable.
+
+The following lists the fields of the **"workload"** certificate info type that
+are relevant to workload credentials:
+
+  - **"cert_path"**: The specified value will be used as the full path to locate
+    the workload certificate file. This file **must** contain a PEM-encoded
+    X.509 certificate chain (ordered from leaf to root) where the leaf
+    certificate is a valid X.509 SVID. The chain __may__ consist of only the
+    leaf certificate.
+  - **"key_path"**: The specified value will be used as the full path to locate
+    the workload private key file. This file must contain a PEM-formatted
+    private key associated with the X.509 certificate specified by
+    **“cert_path”**.
+
+The description of the **"workload_identity_provider"**,
+**"authenticate_as_identity_type"** and **"service_account_email"** fields can
+be found in [mTLS Token Binding][5].
+
+To enable mutual authentication to Google APIs using workload credentials, the
+**"workload"** section and its **"cert_path"** and **"key_path"** values must be
+present in the **"~/.config/gcloud/certificate_config.json"** configuration
+file.
+
+### Expected Behavior
+
+Support for mTLS authentication to Google APIs using workload credentials
+**must** give priority to user mTLS endpoint override via client options. The
+auth libraries **must** follow the steps below:
+
+  - Locate the workload certificate and private key files using the above
+    config file. If one of these files is not present, mTLS using workload
+    credentials may be disabled. The auth libraries **must** check that the
+    public and private keys in the certificate and key files match before
+    passing them to the TLS library.
+      - Occasional mismatches may happen, since during certificate rotation the
+        client library may read the two files while another process is replacing
+        them. In that case, the library **must** retry reading the certificate
+        and private key files and checking their match status, up to a maximum
+        of four attempts. The library **should** wait for 5 seconds between
+        attempts.
+      - If the certificate and private key files are loaded in memory (as
+        opposed to being read from disk for every mTLS connection), the auth
+        libraries **must** periodically reload them (at least every 10 minutes
+        or when the certificate expires) to refresh their copies in memory after
+        the infrastructure rotates them. Refreshing the credentials **must** be
+        done in a background thread and not upon usage.
+  - Configure the TLS library to use the found, and matched, certificate and
+    key for client authentication during the TLS handshake.
+  - If the user specifies the endpoint override via client options, use it as is
+    and connect to the specified endpoint using mTLS.
+  - If the user does not specify the endpoint override, use the default mTLS
+    endpoint if the certificate and key files exist and the default regular
+    endpoint otherwise.
+    
+Note that mTLS 1.3 **must** be the only supported version to preserve client
+identity and certificate confidentiality.
+
+One implication of the above logic is that if the user enables mTLS
+authentication using workload credentials, provides valid certificate and key
+files, and specifies a non-mTLS endpoint override, the client libraries
+**should** use the certificate and key anyway and let the server decide what to
+do. This avoids introducing client-side logic that parses whether the endpoint
+override is an mTLS URL, since the URL pattern may change at any time.
+
+### Obtaining the Default mTLS Endpoint
+
+The default mTLS endpoint for a service **should** be read from the Discovery
+Document field **"mtlsRootUrl"** instead of generated via regex patterns.
+
+<!-- prettier-ignore-start -->
+[0]: https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md
+[1]: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#2-spiffe-identity
+[2]: https://google.aip.dev/auth/4110
+[3]: https://cloud.google.com/traffic-director/docs/security-envoy-setup
+[4]: https://cloud.google.com/traffic-director/docs/security-proxyless-setup
+[5]: https://google.aip.dev/auth/4119
+<!-- prettier-ignore-end -->

aip/auth/4119.md

@@ -0,0 +1,154 @@
+---
+id: 4119
+scope: auth
+state: draft
+created: 2022-09-09
+---
+
+# mTLS Token Binding
+
+Token binding allows issuing Google access tokens that are bound to mTLS
+credentials. The advantage of such mTLS bound tokens is that they are meant to
+only be used over secure channels established via mTLS credentials they are
+bound to. Therefore, using bound tokens is more secure than bearer tokens which
+can be stolen and adversarially replayed.
+
+This AIP describes the flow of (1) obtaining access tokens bound to X.509
+certificate identities, called identity-bound tokens and (2) how to use them to
+access Google APIs using the Google auth libraries.
+
+**Note:** Because this AIP describes guidance and requirements in a
+language-neutral way, it uses generic terminology which may be imprecise or
+inappropriate in certain languages or environments.
+
+## Guidance
+
+If users enable token binding, they **should** do so via [ADC][0]. This section
+describes the general guidance of supporting such tokens.
+
+### Prerequisites
+
+Identity-bound access tokens require that the clients have
+[X.509 SPIFFE Verifiable Identity Documents][1] (SVIDs). [Mutual Authentication
+Using Workload Credentials][2] describes how such SVIDs are provisioned in
+Google Cloud.
+
+Additionally, identity-bound access tokens tokens require configuring a workload
+identity pool and identity provider with Google Cloud's IAM. The instructions on
+how to do this are out of scope of this AIP.
+
+### Using mTLS Token Binding
+
+The auth libraries **must** support the following values in the
+**"~/.config/gcloud/certificate_config.json"** configuration file. Note that the
+default location of this file can be changed using the
+`GOOGLE_API_CERTIFICATE_CONFIG` environment variable.
+
+```json
+{
+  “version”: 1
+  "cert_configs": {
+    "workload": {
+      "cert_path": "path/to/cert/file"
+      "key_path": "path/to/key/file"
+      “workload_identity_provider”: “...”
+      "authenticate_as_identity_type": "gsa/native"
+      “service_account_email”: “...”
+    },
+    "keychain": {
+      ...
+    },
+    "pkcs11": {
+      ...
+    },
+    "windows": {
+      ...
+    },
+  },
+  "libs": {
+   ...
+  }
+}
+```
+
+The following lists the fields relevant to mTLS token binding configuration:
+
+  - **"workload_identity_provider"**: The specified value will be used to
+    populate the request to Security Token Service (STS) to request
+    identity-bound access tokens. This value refers to the fully qualified name
+    of the workload identity pool and identity provider configured in IAM. The
+    specified value **must** be of the following format.
+
+```
+"workload_identity_provider":"//iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_identifier>/providers/<provider_identifier>"
+```
+
+  - **"authenticate_as_identity_type"**: This field specifies what identity is
+    used to authenticate to Google APIs. The value can be set to `gsa` or
+    `native`, where `gsa` is the GCP service account of the workload, e.g., the
+    GCP service account of a GCE VM, and `native` is the native workload
+    identity, e.g., the GKE pod kubernetes service account. If not specified,
+    the default value is `gsa`.
+
+  - **"service_account_email"**: If set, the specified value will be used to
+    populate the request to the IAM Credentials service to request
+    identity-bound access tokens. This value refers to the service account email
+    to be used for resource access. If not set, the service account email will
+    be determined automatically by querying the following Metadata Service
+    endpoint:
+    `http://metadata/computeMetadata/v1/instance/service-accounts/default/email`.
+    The value of this field is only relevant if
+    **"authenticate_as_identity_type"** is set to `gsa`.
+
+The description of the **"cert_path"** and **"key_path"** fields can be found in
+[Mutual Authentication Using Workload Credentials][2].
+
+To enable using token binding when communicating with Google APIs the following
+conditions are required:
+
+  - [Mutual Authentication Using Workload Credentials][2] **must** be enabled.
+  - The **"workload_identity_provider"** **must** be present,
+    **"authenticate_as_identity_type"** __may__ be set and
+    **"service_account_email"** __may__ be set in the **"workload"**
+    section of the **"~/.config/gcloud/certificate_config.json"** configuration
+    file.
+
+### Expected Behavior
+
+To support the usage of identity-bound access tokens, the auth libraries
+**must** follow the steps below when sending requests to Google APIs:
+
+  1. Connect to the mTLS endpoint of the [STS API][3] using the workload
+     credentials provisioned as described in [Mutual Authentication Using
+     Workload Credentials][2]. This endpoint **must** be
+     `sts.mtls.googleapis.com`.
+  1. Send an HTTP request to STS’s [ExchangeToken][5] method requesting an
+     identity-bound token using the information in the
+     **"workload_identity_provider"** field in the
+     **"~/.config/gcloud/certificate_config.json"** configuration file. The
+     scope of the requested token **must** be
+     `https://www.googleapis.com/auth/iam`.
+  1. Connect to the mTLS endpoint of the [IAM Credentials Service API][4] using
+     the workload credentials provisioned as described in [Mutual Authentication
+     Using Workload Credentials][2]. This endpoint **must** be
+     `iamcredentials.mtls.googleapis.com`.
+  1. If **"authenticate_as_identity_type"** is set to `gsa`, send an HTTP
+     request to the IAM Credentials Service’s [GenerateAccessToken][6] method
+     requesting an identity bound token asserting the service account email in
+     the **"service_account_email"** field in the
+     **"~/.config/gcloud/certificate_config.json"** configuration file. The
+     scope of this token **must** be the same scope defined by the user for
+     accessing the requested Google API.
+  1. Attach the returned token in Step 4 to the request. Note that this request
+     **must** be sent over an mTLS channel using the same workload credentials
+     in Step 1.
+
+<!-- prettier-ignore-start -->
+[0]: https://google.aip.dev/auth/4110
+[1]: https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md
+[2]: https://google.aip.dev/auth/4118
+[3]: https://cloud.google.com/iam/docs/reference/sts/rest
+[4]: https://cloud.google.com/iam/docs/reference/credentials/rest
+[5]: https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token
+[6]: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken
+<!-- prettier-ignore-end -->