google-auth-library-nodejs icon indicating copy to clipboard operation
google-auth-library-nodejs copied to clipboard

Published 20 hours ago • verified publisher icon googleapis

Slow response times when obtaining Domain Wide Delegation token and during inbound Authorization header validation

Open ianhannaford opened this issue 1 year ago • 4 comments

Environment details

  • OS: Linux
  • Node.js version: v16.20.2
  • npm version: 8.19.4
  • google-auth-library version: 8.19.4

Obtaining an Domain Wide Delegated Access Token

We have two issues when using the client library when trying to PATCH a subscription. When patching a subscription for a Chat Space we are obtaining a users Domain Wide Delegated token to use as the Authorization header for the PATCH operation.

We are using the GoogleAuth client to obtain the token and during the call to getAccessToken(); it makes a request to the Google endpoint https://www.googleapis.com/oauth2/v4/token

We have been experiencing slow response times when hitting this endpoint as show in the attachments.

image

const auth = new GoogleAuth({
     "https://www.googleapis.com/auth/chat.memberships https://www.googleapis.com/auth/chat.memberships.app https://www.googleapis.com/auth/chat.messages https://www.googleapis.com/auth/chat.spaces https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
     clientOptions: { subject: [EMAIL] },
     credentials: [GOOGLE_APP_CREDENTIALS],
});

const client = await auth.getClient();

const jwtResponse: GetAccessTokenResponse = await client.getAccessToken();

return jwtResponse.token!;
Header Authorization

We have also noticed slow response times during validation of the JWT Authorization header that is sent as part of the push notification. In the library it makes a call to https://www.googleapis.com/oauth2/v1/certs. Occasionally we have seen slow response times from this request as show in the attachments.

image

const bearerTokenHeader = req.header('Authorization');

const token = bearerTokenHeader.match(/Bearer (.*)/);

const idToken = token[1];
			
const client = new OAuth2Client();

const ticket = await client.verifyIdToken({ idToken });

const claim = ticket.getPayload();

ianhannaford avatar Feb 09 '24 11:02 ianhannaford

We're planning to migrate to newer token endpoints upstream, which may resolve this issue (assuming their aren't any other networking issues, like proxies):

  • https://github.com/googleapis/node-gtoken/pull/466

danielbankhead avatar Feb 09 '24 19:02 danielbankhead

@danielbankhead I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

ianhannaford avatar Feb 11 '24 11:02 ianhannaford

I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

I've conducted an audit an see that there are a few endpoints in this library that will also need to be updated - I'll take care of this shortly.

danielbankhead avatar Feb 23 '24 22:02 danielbankhead

I have a PR up to resolve, however it will require us to upgrade to Node 16 (which includes JWK support):

  • https://github.com/googleapis/google-auth-library-nodejs/pull/1762

However, we may be able to release the following PR sooner, which may be more helpful as the /token endpoint would be hit far more often than /cert (longer cache time):

  • https://github.com/googleapis/node-gtoken/pull/466

danielbankhead avatar Feb 28 '24 01:02 danielbankhead