Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idtoken: NewValidator broken after #738 #785

Closed
codyoss opened this issue Dec 10, 2020 · 3 comments
Closed

idtoken: NewValidator broken after #738 #785

codyoss opened this issue Dec 10, 2020 · 3 comments
Assignees
@codyoss
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@codyoss
Copy link
Member

codyoss commented Dec 10, 2020 

(ds.DefaultAudience != "" || len(ds.Audiences) > 0)

The above change appears to be the faulting change.

Using cloud.google.com/go v0.72.0 + google.golang.org/api v0.35.0 works. Upgrading either with 1 minor version causes runtime errors.

Reproducing code:

opt := option.WithCredentialsFile("path/to/svc-acc.json")
validator, err := idtoken.NewValidator(ctx, opt)
validator.Validate(ctx, "some-token", "some-audience")

The fault happens during idtoken.NewValidator, where the self-signing JWT token source is not set, due to the changes in this PR. There is no error returned from running NewValidator. When running validator.Validate, an error occurs during the roundtrip when retrieving the certificates from google.

Originally posted by @bendiknesbo in #738 (comment)
@codyoss codyoss added the status: investigating The issue is under investigation, which is determined to be non-trivial. label Dec 10, 2020
@codyoss codyoss self-assigned this Dec 10, 2020
@codyoss codyoss added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Dec 10, 2020
@codyoss
Copy link
Member Author

codyoss commented Dec 10, 2020

@bendiknesbo Do you have a use case for needing an authenticated client for these validation requests? If you don't pass in that option I think your code will still work, would you mind trying that?

@codyoss codyoss added the needs more info This issue needs more information from the customer to proceed. label Dec 10, 2020
@codyoss
Copy link
Member Author

codyoss commented Dec 10, 2020

If you are not passing WithHTTPClient just calling the function Validate might work just as well for your use case.

@codyoss codyoss added the priority: p2 Moderately-important priority. Fix may not be included in next release. label Dec 10, 2020
@codyoss
Copy link
Member Author

codyoss commented Feb 1, 2021

It is not expected that you use a validated client with this function. If you have a valid use case for this please let me know and we can discuss more. It is true our client has become more restrictive about when to use self-signed JWTs but this is correct as an audience, default or user set, should be provided when using this feature. It was a bug that this worked before. Closing as by design.

@codyoss codyoss closed this as completed Feb 1, 2021
@codyoss codyoss removed status: investigating The issue is under investigation, which is determined to be non-trivial. needs more info This issue needs more information from the customer to proceed. labels Feb 1, 2021
@codyoss codyoss mentioned this issue Aug 26, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@codyoss