google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Credentials jwt "aud"

Open nikoloutsa opened this issue 4 years ago • 8 comments

Hello I am trying to authenticate with the Credentials class and a service_account file. and a proxy for the google oauth token endpoint. So by setting the token_uri in the service_account file

  "token_uri": "https://example.com/oauth2/token",

after authenticating

credentials = service_account.Credentials.from_service_account_file(
            SERVICE_ACCOUNT_JSON_FILE, scopes=SCOPES)

I get an JWT grant error “Invalid JWT: Failed audience check.”

By inspecting the auth library the JWT "aud" is set to the token_uri,

https://github.com/googleapis/google-auth-library-python/blob/37141e4dffc2ba3f3f57c5914544fb8b9cf7d017/google/oauth2/service_account.py#L317

and there is no option to set it to the default

"aud": "https://oauth2.googleapis.com/token",

as suggested in the documentation

Is this the expected behaviour? If yes how should I use my proxy to authenticate.

Thank you

nikoloutsa avatar Mar 20 '20 09:03 nikoloutsa

Hi @nikoloutsa,

Could you let us know what you're looking to accomplish by overriding the default token URI?

If you need to use a token_uri different from the one specified in the file you can construct the Credential manually using the constructor.

busunkim96 avatar Mar 24 '20 17:03 busunkim96

Hi so my problem is not how to set the token_uri variable, but how to achieve the authentication via a proxy endpoint. So following the test code here: i get the JWT grant error because of the required claims in the JWT claim

"aud": A descriptor of the intended target of the assertion. When making an access token request this value is always https://oauth2.googleapis.com/token.

and not using the custome token_uri variable.

Hope this is more clear thank you.

nikoloutsa avatar Mar 29 '20 14:03 nikoloutsa

Ah I see. You're correct, there is no way to make the token_uri in the payload different from the one provided in the service account file.

Is there a technical reason preventing you from allowing the auth request to be made directly to the Google OAuth2 endpoint?

busunkim96 avatar Mar 30 '20 16:03 busunkim96

actually yes, i have deployed my code on a node that has no internet access, but I can send requests via a proxy as I said (https://example.com/oauth2/token) that would forward the requests to "https://oauth2.googleapis.com/token"

nikoloutsa avatar Mar 31 '20 12:03 nikoloutsa

@nikoloutsa did you find a work around for it?. I too have the same problem forwarding requests through a proxy

aman-sai avatar Apr 06 '21 14:04 aman-sai

For my case the workaround was to hard-code the payload url inside: site-packages/google/oauth2/service_account.py

Just search for the "aud": self._token_uri and set the correct url, you will find it in two places

def _make_authorization_grant_assertion(self):
....
     payload = {
     .....
         "aud": self._token_uri,
     }
     
     payload["aud"] = "https://oauth2.googleapis.com/token"

def _make_authorization_grant_assertion(self):
....
   payload = {
     .....
         "aud": self._token_uri,
     }
   payload["aud"] = "https://oauth2.googleapis.com/token"

Not sure if this is the best fix, but for my cases seems to work flawlessly.

nikoloutsa avatar Apr 09 '21 07:04 nikoloutsa

Same happens to me, but in my case i wont use it in local environment, I need to deploy in App Engine application, so I can't make that change.

It is worth noting that in my credentials file, the variable "token_uri" has the value https://accounts.google.com/o/oauth2/token, that is the same value that the "audience" is supposed to have.

Is there any alternative solution to be able to deploy in productive environments?

may be related to the credential creation date? the one I am using was created in 2016.

Regards.

BorjaDiago avatar Jul 16 '21 17:07 BorjaDiago

Hi, I have found my own solution, and it is to change the value of the "token_uri" to https://oauth2.googleapis.com/token.

I guess the google.oauth2 library expects this value instead of https://accounts.google.com/o/oauth2/token, and I noticed this because when creating a new service account for testing, the value of "token_uri" was https://oauth2.googleapis.com/token.

It seems that old service accounts are not created in the same way as the current ones, and therefore, if you use deprecated libraries like oauth2client the value of "token_uri" should be https://accounts.google.com/o/oauth2/token and if you use the google.oauth2 library the value of "token_uri" should be https://oauth2.googleapis.com/token.

I hope this may help someone in the future, while someone more knowledgeable weighs in on the matter.

Kind regards.

BorjaDiago avatar Jul 20 '21 08:07 BorjaDiago