New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
idtoken: Using NewValidator with Google credentials in the environments means you can't validate tokens #1187
Comments
Hey @peterwillis thanks for the report. This looks similar to #785 but I will take another look. |
Out of curiosity are you passing any options? I am curious to hear your use case. If you are passing other options also passing |
Ok I see it now in the docs:
The only reason to use I will use |
I have been thinking about this, and I realised that the reason I chose to use |
@peterwillis You are right, this should be a bug. I opened a PR to fix this issue. |
When NewValidator is called without any options passed in it will fail talking to the google cert endpoint because the dailed authenticated client will not have proper scopes and leads to the error: "invalid_scope". We should set a default scope so this method can be called with no extra options. Fixes: #1187
Environment details
Steps to reproduce
When I create a validator with
idtoken.NewValidator(ctx)
and then usev.Validate(ctx, "valid token", "valid audience")
there is an error that shows the certs endpoint is returning a 400. I think this is because library picks upGOOGLE_APPLICATION_CREDENTIALS
in the environment and adds an authorization header to the request made to the certs endpoint athttps://www.googleapis.com/oauth2/v3/certs
which is not accepted as it's invalid to pass credentials to that public endpoint.If I don't use
NewValidator
and instead useidtoken.Validate(ctx, "valid token", "valid audience")
then I can see the code is pickinghttp.DefaultClient
and not adding any authorization headers and everything works.That means I have to create a validator explicitly overriding the
http.Client
withidtoken.NewValidator(ctx, idtoken.WithHTTPClient(http.DefaultClient))
. This seems counter intuitive.The text was updated successfully, but these errors were encountered: