New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Bug: Uncaught exception when calling oauth2.id_token.fetch_id_token #663
Comments
Hi @yaseenlotfi, Thanks for the thorough explanation. It seems like the existing behavior is incorrect. On a first pass I think google-auth-library-python/google/auth/compute_engine/_metadata.py Lines 168 to 188 in 647290a
Could you check if google-auth-library-python/google/auth/environment_vars.py Lines 43 to 51 in 647290a
|
I've encountered the same issue (under the same environment conditions the author originally posted) and I was wondering if anyone had found a workaround? Is there a version of the library that doesn't have this issue? Thanks in advance! |
My workaround was basically to implement my own check if the app is running locally vs a Cloud environment. Makes a request to compute metadata server and check the header. I assume it's from Google if there is a header called "Metadata-Flavor". Unfortunately, the status code is 200, either way. Knowing which environment you're in allows you do replicate the auth workflow on you own ie try to get token from compute, then try default credentials, etc. |
@arithmetic1728 Please can you take a look? |
Fail to retrieve an ID token because the workflow is broken prematurely. This function tries to fetch the ID token from the Compute Metadata Server, first. If that fails, then it tries loading credentials from the environment variable. Raises a final error if it can't do either. In my case, I'm trying to fetch the ID token locally so the metadata server URL cannot be resolved. This causes an uncaught TypeError that breaks before trying to use the environment variable.
Environment details
google-auth
version: 1.21.1Steps to reproduce
$GOOGLE_APPLICATION_CREDENTIALS
set to valid service account key filepath.Reproduced by running:
Sample Traceback
Explanation
The workflow breaks prematurely while checking the Compute Metadata Server. Since I am running locally, I would expect the behavior to be such that it fails to reach the metadata server so it attempts to load credentials from the environment variable instead.
What's happening is that the response from the unreachable metadata server is a string instead of the dictionary this function expects. It assumes a dictionary is returned and tries accessing the email attribute directly (
sa_info.get("email")
would be safer). See reference:google-auth-library-python/google/auth/compute_engine/credentials.py
Line 223 in 647290a
This variable,
sa_info
, is meant to be returned bycompute_engine._metadata.get_service_account_info
.See reference:
google-auth-library-python/google/auth/compute_engine/_metadata.py
Line 208 in 647290a
Solution
More of a workaround than a solution, I added a
TypeError
to the first try-except block inid_token.fetch_id_token
. See reference:google-auth-library-python/google/oauth2/id_token.py
Line 226 in 647290a
Works well enough but I'm wondering what the best approach is to solve this. Is there a different way to get this OIDC token locally in a Pythonic way? I've used the
subprocess
module before to callgcloud
directly but that's not ideal. This function is appealing because the same code can work either in GCP or locally.Something else I don't fully understand is why making a request to the metadata server externally still returns a 200 status code. Is there a simple check of whether the server can be accessed or not?
The text was updated successfully, but these errors were encountered: