Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: GoogleIdTokenVerifier fails to validate token from Identity Platform #2094

Open
mmatloka opened this issue Jun 14, 2022 · 2 comments
Open

Auth: GoogleIdTokenVerifier fails to validate token from Identity Platform #2094

mmatloka opened this issue Jun 14, 2022 · 2 comments
Labels
api: cloudidentity Issues related to the Cloud Identity API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@mmatloka
Copy link

Environment details

  1. Identity Platform
  2. OS type and version:
  3. Java version: 17
  4. version(s): 1.35.1

Steps to reproduce

Hello,
https://cloud.google.com/identity-platform/docs/reference/rest says that "we recommend that you use the Google-provided client libraries.", so I'm tring to leverage GoogleIdTokenVerifier to verify accessToken generated when using Identity Platform. I use the following code:

    val transport: HttpTransport = new ApacheHttpTransport()
    val jsonFactory: JsonFactory = new GsonFactory()
    val verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
      .setIssuer("https://securetoken.google.com/<my project>")
      .setAudience(Collections.singletonList("<my project>"))
      .build

    verifier.verify(
        "token"
      ) // always null == not verified

Verification fails because this line returns false because it was not able to verify signature here. When I use debug and dive inside, I see that sun.security.rsa.RSASignature throws inside javax.crypto.BadPaddingException: Decryption error.

How do I obtain the token? I have used sample websites from https://github.com/firebase/firebaseui-web#starting-the-sign-in-flow (with configured initialization snippet from my Identity Platform account).

I am using google-api-client version 1.35.1.

Where is the mistake? Should I configured different public keys?

Thanks in advance for help!
@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Jun 15, 2022
@meltsufin
Copy link
Member

@TimurSadykov Is this something you're familiar with? I see that you modified GoogleIdTokenVerifier recently.

@meltsufin meltsufin added priority: p2 Moderately-important priority. Fix may not be included in next release. api: cloudidentity Issues related to the Cloud Identity API. and removed triage me I really want to be triaged. labels Jun 21, 2022
@yoshi-automation yoshi-automation removed the 🚨 This issue needs some love. label Jun 21, 2022
@TimurSadykov
Copy link
Member

@meltsufin Yes, I'm familiar. We need to add IdentityPlatform public keys to our default storage or add another storage with those keys present. If that is not something we can do quickly - at least reference a public source of the keys or keys themselves to mitigate temporarily.

@meltsufin meltsufin added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Dec 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: cloudidentity Issues related to the Cloud Identity API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mmatloka @TimurSadykov @meltsufin @yoshi-automation