We have built a ChromeOS extension that calls "chrome.enterprise.platformKeys.challengeKey" and sends the signed challenge to our backend. We have this extension force installed on our devices with the "Allow enterprise challenge" and "Allow access to keys" certificate managenent options enabled through the Google Workspace admin.
We have also
- Created a Google Cloud API Project and enabled the "Chrome Verified Access API" API;
- Created a service account under this Google Cloud Project;
- In our Google Workspace, under "User Verification" set "Verified Mode boot check" to "Require verified mode boot for Verified Access", and added the service account to "Service accounts that are allowed to receive user data";
What we do:
- We call the "https://verifiedaccess.googleapis.com/v2/challenge:generate" endpoint to request a challenge (works)
- We pass the challenge to "chrome.enterprise.platformKeys.challengeKey" and in the callback send the request to our backend.
- In the backend, we call the "https://verifiedaccess.googleapis.com/v2/challenge:verify" endpoint with the challenge we got from the extension.
When we challenge the USER key, we get an empty response (200 OK). When we challenge the MACHINE key, we always get the error "The caller does not have permission" (403 PERMISSION_DENIED). There appear to be no "Verified Access" specific permissions.
What does the "the caller" refer to here? Is this an issue with the device permissions or the API permissions? Calling the "challenge:generate" from the backend returns a challenge, thus the service account authentication is working.
After more testing it appears the V1 API works fine, only the V2 API fails with PERMISSION_DENIED.