verify_oauth2_token takes a minute to complete

[bemineni]

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Please run down the following list and make sure you've tried the usual "quick fixes":

• Search the issues already opened: https://github.com/googleapis/google-api-python-client/issues
• Search StackOverflow: https://stackoverflow.com/questions/tagged/google-cloud-platform+python

If you are still having issues, please be sure to include as much information as possible:

Environment details

• OS type and version: Linux Mint running on Virtual box
• Python version: 3.6.9
• pip version: 9.0.1
• google-api-python-client version: google-api-core (1.21.0) google-api-python-client (1.9.3) google-auth (1.19.0) google-auth-httplib2 (0.0.4) googleapis-common-protos (1.52.0)

Steps to reproduce

1. The first call to verify_oauth2_token takes almost a minute to complete. All successive calls complete fast if the session has cachecontrol.

Code example

from google.oauth2 import id_token
from google.auth.transport import requests as googlerequests
from google.auth.exceptions import GoogleAuthError
import cachecontrol
import requests

gsession = requests.session()
gcached_session = cachecontrol.CacheControl(gsession)
grequest = googlerequests.Request(session=gcached_session)

CLIENT_ID = 'xxxxxxx.apps.googleusercontent.com'

 idinfo = id_token.verify_oauth2_token(
                    <id_token_from_client>, grequest, CLIENT_ID)

Stack trace

# example

Making sure to follow these steps will guarantee the quickest resolution possible.

Thanks!

[busunkim96]

Hi @bemineni,

Was this faster in previous versions of the library?

[bemineni]

I started to use this library for the first time recently for new project development. I see a delay only in the very first call. Is there any way I can debug and provide you more logs.

[busunkim96]

Hmm, the only network call that's being made is to fetch the certificates, and I wouldn't expect it to take that long.

google-auth-library-python/google/oauth2/id_token.py

Lines 86 to 108 in c05b8b5

	def _fetch_certs(request, certs_url):
	"""Fetches certificates.
	Google-style cerificate endpoints return JSON in the format of
	``{'key id': 'x509 certificate'}``.
	Args:
	request (google.auth.transport.Request): The object used to make
	HTTP requests.
	certs_url (str): The certificate endpoint URL.
	Returns:
	Mapping[str, str]: A mapping of public key ID to x.509 certificate
	data.
	"""
	response = request(certs_url, method="GET")
	if response.status != http_client.OK:
	raise exceptions.TransportError(
	"Could not fetch certificates at {}".format(certs_url)
	)
	return json.loads(response.data.decode("utf-8"))

Could you try increasing the logging level and verifying that the HTTP request is the bottleneck?

import logging

logging.basicConfig(level=logging.DEBUG)

[ievgennaida]

@busunkim96 For me it's also taking long, depends on environment.

I have noticed that usually this function gives additional 0,5 - 1s of overhead while token is verified from a header on the each call.

I would like to use cert request cache like it's described in the comments but the explanation is not giving the idea of a fallback when certs are expired.

Could you please give more explicit description what to expect when cert is expired and how yo request new certs in this fallback case?

Thanks in advance!