PWABuilder icon indicating copy to clipboard operation
PWABuilder copied to clipboard

Published 20 hours ago verified publisher icon pwa-builder

[pwa-auth] does not return a valid Google SSO id_token

Open shaunakg opened this issue 4 years ago • 13 comments

To verify that users are logged in, my app POSTs the providerData.uc.id_token to the backend for verification with Google's back-end authorization library.

However, very recently, the pwa-auth component returns ID tokens that are simply invalid. I have copied the raw tokens and checked with Google's tool which gives me a clear error: image

Since the last commit was 17 days ago, I'm not sure if this is a code issue or a change in Google's policy.

Below is my server-side verification code:

googleClient.verifyIdToken({
                idToken: req.body.sso.providerData.uc.id_token, // token returned by pwa-auth
                audience: keys.google_sso_client_id
}).then(ticket => ticket.getPayload()).then((payload) => {
               // verify the payload contents against user database, etc.
});

Below is the logs for my server:

Feb  5 12:35:30 ip-xxx-xx-xx-xx web: Error: No pem found for envelope: {"alg":"RS256","kid":"--------------------------------------------------","typ":"JWT"}
Feb  5 12:35:30 ip-xxx-xx-xx-xx web: at OAuth2Client.verifySignedJwtWithCertsAsync (/var/app/current/node_modules/google-auth-library/build/src/auth/oauth2client.js:558:19)
Feb  5 12:35:30 ip-xxx-xx-xx-xx web: at OAuth2Client.verifyIdTokenAsync (/var/app/current/node_modules/google-auth-library/build/src/auth/oauth2client.js:394:34)
Feb  5 12:35:30 ip-xxx-xx-xx-xx web: at processTicksAndRejections (internal/process/task_queues.js:97:5)

edit: It seems that this only happens when the webapp is running on the Netlify build server. The code deployed to the server and ran locally is the same, but when run locally, it returns verifies the token correctly and returns a valid payload. This makes it really hard to debug so I'm not sure what more information I can provide.

shaunakg avatar Feb 05 '21 12:02 shaunakg

Was this resolved? What was the issue?

llaenowyd avatar Mar 03 '21 16:03 llaenowyd

This has not been resolved. My workload is very full at the moment. I will get to this when time permits. If someone wants to look into it, please feel free to do so! The code is all open source and easy to debug.

JudahGabriel avatar Mar 19 '21 22:03 JudahGabriel

I have seen this happening quite frequently in my production app. I love this library, but for now I'll need to switch to another one, as too many users rely on Google to sign in and they are facing this issue.

AlissonRS avatar May 07 '21 04:05 AlissonRS

As a side note, this happened with Facebook tokens too.

AlissonRS avatar May 07 '21 04:05 AlissonRS

I have seen this happening quite frequently in my production app. I love this library, but for now I'll need to switch to another one, as too many users rely on Google to sign in and they are facing this issue.

Which one are you using, if you don't mind sharing?

shaunakg avatar May 07 '21 08:05 shaunakg

Wow I thought it was such a good library until I ran into this issue :(

VityaSchel avatar Jun 03 '21 10:06 VityaSchel

Folks, if you run into an expired or non-valid token, the answer is to resign in the user.

I'd love to add this feature myself, but am currently swamped. Feel free to add it! The code is small and easy to change: https://github.com/pwa-builder/pwa-auth/blob/master/src/pwa-auth.ts

I'd be glad to point anyone in the right direction if they want to add that functionality.

JudahGabriel avatar Jun 08 '21 23:06 JudahGabriel

When I authenticate with Google, using the example event handler from this project's doc pwaAuth.addEventListener("signin-completed", ..., I see in the console,

Access token ya29.a0...GItA
Access token expiration date Sat Jun 19 2021 07:14:12 GMT-0400 (Eastern Daylight Time)
Provider (MS, Google, FB):  Google
Raw data from provider:  {
  ...
  "mc": {
    "token_type": "Bearer",
    "access_token": "ya29.a0...GItA",
    ...
    "id_token": "eyJh...6Dnw",
    ...
  }, ...
}

Looks like 2 different tokens in the provider response data.

This doc at developers.google.com, Authenticate with a backend server says that to verify a user's credentials use the id_token. This doc OpenID Connect describes fields, (see table about halfway down the page),

Fields
access_token A token that can be sent to a Google API.
id_token A JWT that contains identity information about the user that is digitally signed by Google.

Here's some code from pwa-auth where the access_token is taken while the id_token is ignored.

It's possible last time I tried using this, I just tried to use the ID featured in the examples here, but I think access_token is not really the user credential, like bearer token, perhaps rather id_token is.

Let me know, maybe it's a fix to update the linked code above to take id_token instead.

llaenowyd avatar Jun 19 '21 10:06 llaenowyd

As a workaround, it seems the id_token can be taken from the signIn.providerData manually, and the Google Oauth2 client library appears to validate that one. Demo project here.

llaenowyd avatar Jun 19 '21 18:06 llaenowyd

As a workaround, it seems the id_token can be taken from the signIn.providerData manually, and the Google Oauth2 client library appears to validate that one. Demo project here.

Can confirm that this working in my project 👍 Google library authentificates user with id token, validates clientid and returns user profile information

VityaSchel avatar Jun 20 '21 17:06 VityaSchel

This issue has been marked as "needs attention 👋" due to no activity for 15 days. Please triage the issue so the fix can be established.

ghost avatar Feb 28 '22 08:02 ghost

This issue has been marked as "needs attention 👋" due to no activity for 15 days. Please triage the issue so the fix can be established.

ghost avatar Mar 15 '22 11:03 ghost

This issue has been marked as "needs attention 👋" due to no activity for 15 days. Please triage the issue so the fix can be established.

ghost avatar Mar 30 '22 11:03 ghost