Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service account authentication fails after 1.33.0 release #804

Closed
syphar opened this issue Jul 19, 2021 · 9 comments
Closed

service account authentication fails after 1.33.0 release #804

syphar opened this issue Jul 19, 2021 · 9 comments
Assignees
@arithmetic1728
Labels
external This issue is blocked on a bug with the actual product. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@syphar
Copy link

syphar commented Jul 19, 2021

Environment details

  • OS: Linux
  • Python version: 3.9.6
  • pip version: 21.1.3
  • google-auth version: 1.33.0

Error description

With the update of google-auth to 1.33.0 we saw an error in our environments.

invalid_grant: Invalid JWT: Failed audience check. The right audience is [...]

In our case we use a service-account to access google calendars in our org.

In our service-account key we find "token_uri": "https://accounts.google.com/o/oauth2/token", while the library sets aud to be https://oauth2.googleapis.com/token via a constant. This was changed with the 1.33.0 release in 0e26409.

When I monkey-patch the constant to have the same value as the token-uri in our accounts, everything works again.

Is this a bug? Or a configuration issue on our side?

I'm happy to provide detailed steps to reproduce this if needed. Also I'm not sure about the relation to #464.
@busunkim96
Copy link
Contributor

Thanks for the report! @arithmetic1728 Could you take a look?

I think https://oauth2.googleapis.com/token is the current token_endpoint (see https://developers.google.com/identity/protocols/oauth2/openid-connect#discovery). Do older keys use different endpoints?

@arithmetic1728 arithmetic1728 self-assigned this Jul 19, 2021
@busunkim96
Copy link
Contributor

Hi,

If you're experiencing this issue, please use the prior release google-auth==1.32.1. We are working at solutions in the backend.

@busunkim96 busunkim96 added external This issue is blocked on a bug with the actual product. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Jul 20, 2021
@syphar
Copy link
Author

syphar commented Jul 20, 2021

Hi,

If you're experiencing this issue, please use the prior release google-auth==1.32.1. We are working at solutions in the backend.

Thank you for the update! We already had reverted the upgrade, will wait for the next release and the fix.

@Mogost
Copy link

Mogost commented Jul 20, 2021

We also investigated the issue on our side. In our case, changing the token_uri value in the .json file helped us.

@syphar
Copy link
Author

syphar commented Jul 20, 2021

We also investigated the issue on our side. In our case, changing the token_uri value in the .json file helped us.

thanks, that's good to know. I would have expected the token to be signed, so that it fails when these details are changed, that's why I didn't try to change it.

Since there is no rush upgrading the package, we'll just wait for the fix and release

@liuchaoren
Copy link
Contributor

I can reproduce the error only when I set the "subject" filed for domain-wide delegation. Can anyone confirm if domain-wide delegation is used when you see the error?

@syphar
Copy link
Author

syphar commented Jul 20, 2021

I can reproduce the error only when I set the "subject" filed for domain-wide delegation. Can anyone confirm if domain-wide delegation is used when you see the error?

Yep, in our case the service account has domain wide delegation activated

@busunkim96 busunkim96 linked a pull request Jul 20, 2021 that will close this issue
revert: "feat: service account is able to use a private token endpoint (#784)" #808
Merged
@busunkim96 busunkim96 removed a link to a pull request Jul 20, 2021
revert: "feat: service account is able to use a private token endpoint (#784)" #808
Merged
@busunkim96
Copy link
Contributor

Revert is under way in #808, we'll take the change again once b/194191737 is resolved.

@syphar
Copy link
Author

syphar commented Jul 22, 2021

just tested the revert with 1.33.1, and it works (which I assumed seeing the code, but still :) )

Thank you for the quick fix!

@tseaver tseaver closed this as completed Jul 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arithmetic1728 arithmetic1728

Labels
external This issue is blocked on a bug with the actual product. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tseaver @syphar @Mogost @liuchaoren @busunkim96 @arithmetic1728