Feature Request: Ability to specify an OAuth audience to InstalledAppFlow.run_local_server

[keriwarr]

Is your feature request related to a problem? Please describe.

I'm using Google's Identity Aware Proxy to provide an OAuth layer. When programmatically accessing an IAP protected resource, one is expected to provide a specific audience to the call to get an access token (source). AFAICT This is not currently possible with InstalledAppFlow.run_local_server

Describe the solution you'd like

A new argument to run_local_server that passes the audience through to the fetch_token call

Describe alternatives you've considered

not aware of any alternatives

Additional context

I've got this setup working internally with a live IAP application, having copied the body of run_local_server and modified it as above.

[clundin25]

to the call to get an access token

Can you expand on this? It seems to me that this change doesn't have to do with the access token, but that you need an identity token bound to the the IAP client audience, correct?

[keriwarr]

@clundin25 I'm not an OAuth expert so bear with me, but my understanding is that the call to self.fetch_token here returns an "access token". If I try to use this flow without my patch, I get an "incorrect audience" error from IAP when I try to access the IAP protected resource using the id_token. I'm not exactly sure what an identity token is.

edit: yes, the id_token, that's right.

out of curiosity, why is it called an id_token? It is structurally/behaviourally equivalent to an "access token" in standard OAuth Client Credentials terminology, right?

[clundin25]

id_token is used for Authentication (Proof of identity). access_token is used for Authorization (Permission to use a resource).

I just wanted to follow up because there was some confusion surrounding why the audience was needed.

Thanks for upstreaming this!