Using the `gcloud` CLI to prove a user's identity

Question

I want to know whether it's possible to verify a user's identity using the gcloud command.

The first idea I had was to ask them to run gcloud auth list, which gives output similar to:

$ gcloud auth list
       Credentialed Accounts
ACTIVE  ACCOUNT
*       john.smith@somewhere.com

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

The problem with this approach is that a user can just edit the output to lie about their identity (E.g. bob.ross can just replace their name with john.smith to fake the proof).

The gcloud CLI also has print-access-token and print-identity-token... Is it possible to use these tokens to check if a user are who they really say they are?

I've tried googling, but haven't found anything relevant yet... most articles just point you to gcloud auth login 😞...

Answer 1

You can use print-identity-token and then verify the OIDC Identity Token signature using the public certificate. That would verify the identity (email address) the user authenticated with in Google. The user cannot modify the contents without invalidating the signature.

There are many articles about how to verify OIDC token signatures including answers on Stack Overflow.

You are using the wording User's Identity. You can only verify the identity stored in Google. Google does not verify who a user says they are (in most cases) such as matching a driver's license, passport, etc.