Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials jwt "aud" #464

Open
nikoloutsa opened this issue Mar 20, 2020 · 8 comments
Open

Credentials jwt "aud" #464

nikoloutsa opened this issue Mar 20, 2020 · 8 comments
Assignees
@busunkim96
Labels
type: question Request for information or clarification. Not an issue.

Comments

@nikoloutsa
Copy link

Hello I am trying to authenticate with the Credentials class and a service_account file.
and a proxy for the google oauth token endpoint.
So by setting the token_uri in the service_account file

  "token_uri": "https://example.com/oauth2/token",

after authenticating

credentials = service_account.Credentials.from_service_account_file(
            SERVICE_ACCOUNT_JSON_FILE, scopes=SCOPES)

I get an JWT grant error “Invalid JWT: Failed audience check.”

By inspecting the auth library the JWT "aud" is set to the token_uri,

google-auth-library-python/google/oauth2/service_account.py

Line 317 in 37141e4

"aud": self._token_uri,

and there is no option to set it to the default

"aud": "https://oauth2.googleapis.com/token",

as suggested in the documentation

Is this the expected behaviour? If yes how should I use my proxy to authenticate.

Thank you
@nikoloutsa nikoloutsa changed the title Credentials target_audience Credentials jwt "aud" Mar 20, 2020
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Mar 21, 2020
@busunkim96 busunkim96 added type: question Request for information or clarification. Not an issue. and removed triage me I really want to be triaged. labels Mar 24, 2020
@busunkim96 busunkim96 self-assigned this Mar 24, 2020
@busunkim96
Copy link
Contributor

Hi @nikoloutsa,

Could you let us know what you're looking to accomplish by overriding the default token URI?

If you need to use a token_uri different from the one specified in the file you can construct the Credential manually using the constructor.

@nikoloutsa
Copy link
Author

Hi so my problem is not how to set the token_uri variable, but how to achieve the authentication via a proxy endpoint.
So following the test code here:
i get the JWT grant error because of the required claims in the JWT claim

"aud": A descriptor of the intended target of the assertion. When making an access token request this value is always https://oauth2.googleapis.com/token.

and not using the custome token_uri variable.

Hope this is more clear thank you.

@busunkim96
Copy link
Contributor

Ah I see. You're correct, there is no way to make the token_uri in the payload different from the one provided in the service account file.

Is there a technical reason preventing you from allowing the auth request to be made directly to the Google OAuth2 endpoint?

@nikoloutsa
Copy link
Author

actually yes, i have deployed my code on a node that has no internet access, but I can send requests via a proxy as I said (https://example.com/oauth2/token) that would forward the requests to "https://oauth2.googleapis.com/token"

@aman-sai
Copy link

aman-sai commented Apr 6, 2021

@nikoloutsa did you find a work around for it?. I too have the same problem forwarding requests through a proxy

@nikoloutsa
Copy link
Author

For my case the workaround was to hard-code the payload url inside: site-packages/google/oauth2/service_account.py

Just search for the "aud": self._token_uri and set the correct url, you will find it in two places

def _make_authorization_grant_assertion(self):
....
     payload = {
     .....
         "aud": self._token_uri,
     }
     
     payload["aud"] = "https://oauth2.googleapis.com/token"

def _make_authorization_grant_assertion(self):
....
   payload = {
     .....
         "aud": self._token_uri,
     }
   payload["aud"] = "https://oauth2.googleapis.com/token"

Not sure if this is the best fix, but for my cases seems to work flawlessly.

@BorjaDiago
Copy link

BorjaDiago commented Jul 16, 2021
edited
Loading

Same happens to me, but in my case i wont use it in local environment, I need to deploy in App Engine application, so I can't make that change.

It is worth noting that in my credentials file, the variable "token_uri" has the value https://accounts.google.com/o/oauth2/token, that is the same value that the "audience" is supposed to have.

Is there any alternative solution to be able to deploy in productive environments?

may be related to the credential creation date? the one I am using was created in 2016.

Regards.

@syphar syphar mentioned this issue Jul 19, 2021
Closed
@BorjaDiago
Copy link

BorjaDiago commented Jul 20, 2021
edited
Loading

Hi, I have found my own solution, and it is to change the value of the "token_uri" to https://oauth2.googleapis.com/token.

I guess the google.oauth2 library expects this value instead of https://accounts.google.com/o/oauth2/token, and I noticed this because when creating a new service account for testing, the value of "token_uri" was https://oauth2.googleapis.com/token.

It seems that old service accounts are not created in the same way as the current ones, and therefore, if you use deprecated libraries like oauth2client the value of "token_uri" should be https://accounts.google.com/o/oauth2/token and if you use the google.oauth2 library the value of "token_uri" should be https://oauth2.googleapis.com/token.

I hope this may help someone in the future, while someone more knowledgeable weighs in on the matter.

Kind regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@busunkim96 busunkim96

Labels
type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nikoloutsa @busunkim96 @aman-sai @BorjaDiago @yoshi-automation