Failure to refresh public keys causes IdTokenVerifier to fail valid tokens #891
Assignees
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
Comments
TimurSadykov
added
the
priority: p1
|
Thanks for reporting. The 1.33.3 adds an important security fix that requires public keys to be fetched from the public store. It look like sometimes the store is unaccessible at the time of public key fetch and library then does not retry for an hour. We will fix that. After the fix you can expect some rate of failures is the public key store is unavailable, but the 1 hour delay will be gone. |
|
To make it even better for the use case when the Verifier of the library already used by a wrapper with its owned signature verification - we will add a constructor that disables underlying validation. And we will update Google-owned wrappers to instantiate it correctly. |
This was referenced May 26, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After rolling out the v1.33.3 release, we've experienced a few transient 1 hour outages for OIDC token verification.
Logs show:
And then all attempts to validate tokens fail with:
For 1 hour straight until the cache of the empty map expires and a new cert refresh succeeds:
google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
Line 165 in c1b1468
We believe that the implementation should not evict previously known public keys in the event of a refresh failure (which could happen for many different reasons).
The text was updated successfully, but these errors were encountered: