Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idtoken: Using NewValidator with Google credentials in the environments means you can't validate tokens #1187

Closed
peterwillis opened this issue Aug 26, 2021 · 5 comments · Fixed by #1198
Closed

idtoken: Using NewValidator with Google credentials in the environments means you can't validate tokens #1187

peterwillis opened this issue Aug 26, 2021 · 5 comments · Fixed by #1198
Assignees
@codyoss
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@peterwillis
Copy link

Environment details

  • Programming language: Go
  • OS: Linux
  • Language runtime version: 1.17
  • Package version: v0.54.0

Steps to reproduce

When I create a validator with idtoken.NewValidator(ctx) and then use v.Validate(ctx, "valid token", "valid audience") there is an error that shows the certs endpoint is returning a 400. I think this is because library picks up GOOGLE_APPLICATION_CREDENTIALS in the environment and adds an authorization header to the request made to the certs endpoint at https://www.googleapis.com/oauth2/v3/certs which is not accepted as it's invalid to pass credentials to that public endpoint.

If I don't use NewValidator and instead use idtoken.Validate(ctx, "valid token", "valid audience") then I can see the code is picking http.DefaultClient and not adding any authorization headers and everything works.

That means I have to create a validator explicitly overriding the http.Client with idtoken.NewValidator(ctx, idtoken.WithHTTPClient(http.DefaultClient)). This seems counter intuitive.
@peterwillis peterwillis added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Aug 26, 2021
@codyoss
Copy link
Member

codyoss commented Aug 26, 2021

Hey @peterwillis thanks for the report. This looks similar to #785 but I will take another look.

@codyoss codyoss added the status: investigating The issue is under investigation, which is determined to be non-trivial. label Aug 26, 2021
@codyoss
Copy link
Member

codyoss commented Aug 26, 2021

Out of curiosity are you passing any options? I am curious to hear your use case. If you are passing other options also passing option.WithoutAuthentication() may be a good workaround for you for now.

@peterwillis
Copy link
Author

peterwillis commented Aug 26, 2021
edited

Ok I see it now in the docs:

NewValidator creates a Validator that uses the options provided to configure a the internal http.Client that will be used to make requests to fetch JWKs.

The only reason to use NewValidator is to override the http.Client. I think a note that explains it will pick up the credentials in the standard way in a GCE environment would be super helpful.

I will use idtoken.Validate instead. Thank you!

@codyoss codyoss added type: docs Improvement to the documentation for an API. and removed priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. status: investigating The issue is under investigation, which is determined to be non-trivial. labels Aug 26, 2021
@peterwillis
Copy link
Author

peterwillis commented Aug 26, 2021
edited

I have been thinking about this, and I realised that the reason I chose to use NewValidator for my use case in the first place is so that I could get more test coverage by passing in an http client that doesn't actually make the request. Using the idtoken.Validate function means that this is no longer possible.

@codyoss codyoss added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. and removed type: docs Improvement to the documentation for an API. labels Aug 30, 2021
@codyoss codyoss mentioned this issue Aug 30, 2021
Merged
@codyoss
Copy link
Member

codyoss commented Aug 30, 2021

@peterwillis You are right, this should be a bug. I opened a PR to fix this issue.

codyoss added a commit that referenced this issue Aug 30, 2021
@codyoss
fix(idtoken): provide default scope for cert endpoint (#1198)
7019080 
When NewValidator is called without any options passed in it will
fail talking to the google cert endpoint because the dailed
authenticated client will not have proper scopes and leads to the
error: "invalid_scope". We should set a default scope so this method
can be called with no extra options.

Fixes: #1187
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(idtoken): provide default scope for cert endpoint
2 participants
@peterwillis @codyoss