[auth] hd is not present for iam.gserviceaccount.com (#14114)

danking · illusional · commit 1f306701409f · 2023-12-29T20:42:29.000+11:00
This would seem to violate this [statement about `hd`](https://developers.google.com/identity/openid-connect/openid-connect#id_token-hd): > The absence of this claim indicates that the account does not belong to a Google hosted domain. but alas, that's the truth. They elide `hd` for iam.gserviceaccount.com accounts.
diff --git a/hail/python/hailtop/auth/flow.py b/hail/python/hailtop/auth/flow.py
@@ -152,8 +152,8 @@ async def get_identity_uid_from_access_token(session: httpx.ClientSession, acces
             if not (is_human_with_hail_audience or is_service_account):
                 return None
 
-            domain = userinfo.get('hd')
-            if domain == 'iam.gserviceaccount.com':
+            email = userinfo['email']
+            if email.endswith('iam.gserviceaccount.com'):
                 return userinfo['sub']
             # We don't currently track user's unique GCP IAM ID (sub) in the database, just their email,
             # but we should eventually use the sub as that is guaranteed to be unique to the user.
