google-auth-library-nodejs
google-auth-library-nodejs copied to clipboard
googleapis
No pem found for envelope (wrong 'kid' property match)
https://github.com/googleapis/google-auth-library-nodejs/blob/d7893c1dc70b3aa45c12bb9b6c0e5346a293b130/src/auth/oauth2client.ts#L1304
My code looks like this:
const client = new OAuth2Client(
'CLIENT_ID_1'
);
const ticket = await client.verifyIdToken({
idToken: token,
audience: [
'CLIENT_ID_1',
'CLIENT_ID_2',
],
});
const payload = ticket.getPayload();
return payload.email;
It works well for my iOS and web Google Sign in implementations. For the android one, it's failing, with error:
No pem found for envelope: {"alg":"RS256","kid":"6f8e1cb15641463c6df0f33394b03c92fcc889ac","typ":"JWT"}
The payload and envelope are separated correctly, it seems there is just the wrong 'kid' matching going on with the certs fetched from getFederatedSignonCertsAsync. How can I fix this?
And this is unlikely related to caching, as I had the same identical problem on local emulator, as well as a physical device, also have the same problem testing in the cloud. All freshly signed into a Google account without ever being signed into it.
Found the root of the problem
The kid is matching a certificate that isn't provided via the urls in this library, but after looking for other public auth certs google may have, I found the firebase-admin library, which had this url in the code:
https://www.googleapis.com/robot/v1/metadata/x509/[email protected]
However, this library doesn't include those certificates when figuring out which certificate to work with.
@danielbankhead can you explain this? There's this bizarre crossover with google auth and firebase... the library is called googleSignIn in android, this is incredibly confusing and has blown away a lot of my time
My workaround looks like this now... nasty but it works.
import { OAuth2Client } from 'google-auth-library';
import firebase from 'firebase-admin';
const firebaseClient = firebase.initializeApp({
credential: {
// firebase credential key
});
// resolve a token to the user email's
export async function deriveEmailFromGoogleToken(
token: string
): Promise<string> {
const client = new OAuth2Client(
'CLIENT_ID_1'
);
try {
const ticket = await client.verifyIdToken({
idToken: token,
audience: [
'281074435194-iacdh6vqefvlkg5d39612ovu8qerhj9i.apps.googleusercontent.com',
'281074435194-fl6i1orvoe8i68u49emmfag840tejtba.apps.googleusercontent.com',
],
});
const result = ticket.getPayload();
return result.email;
} catch (error) {
// google auth library failed, move on
}
try {
const result = await firebaseClient
.auth()
.verifyIdToken(token);
return result.email;
} catch (error) {
// move on
}
throw new Error('no match for google sign in.');
}
@jpike88 apologies for the delay; we're working to improve the integration between this library and Firebase - I should have some updates on this and other related issues shortly.
@himanshu-incedo Hey! As of recent weeks, we're actively working on it internally with the Firebase team.
A quick update on this ticket: We're still actively working on it, more updates to follow.
@ByBogon, no problem; we've completed integration preparation in this library - the Firebase team should have some public updates shortly (within a month or so)
@danielbankhead Could you give me more details about integration preparation if possible?
@ByBogon sure thing, Firebase requires custom transporter interface and previously we didn’t have a flexible, uniform way to customize it until this larger refactor:
- https://github.com/googleapis/google-auth-library-nodejs/pull/1663
Current WIP to resolve this:
- https://github.com/firebase/firebase-admin-node/pull/2466