When you authenticate a user by using OpenID Connect and request the
email scope, most identity providers add two additional claims to the ID Token,
email claim does not need much explanation – but what about
email_verified, what does this claim indicate and how does Google populate it?
If your plan is to develop a tool or desktop app instead of a server-side application, the benefits of application default credentials are less obvious and reusing the user’s personal gcloud credentials instead might seem attractive. But there are some pitfalls.
Once you’ve signed in on google.com, the
Cloud Console, or any other Google site,
your browser session remains valid for multiple days. Not being prompted to sign
in over and over again is convenient and at least in typical consumer scenarios,
the risk that comes along with keeping the session is limited.
Things can look different in a corporate scenario where users might have access
to sensitive data. Keeping sessions alive for 14 days (which is the default)
might seem a little risky and might not be in line with an enterprise’s idea
of security. G Suite Business and Cloud Identity Premium therefore allow you to
change the default session length
to a different period such as 8 hours. This setting applies to all Google services, not only GCP.
Recently, Google introduced another way to control session lifetime by allowing
you to control the session length for Cloud Console and gcloud sessions.