Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix IdTokenVerifier so it does not cache empty entries #892

Merged
merged 23 commits into from Jun 2, 2022
Merged

fix: fix IdTokenVerifier so it does not cache empty entries #892

merged 23 commits into from Jun 2, 2022

Conversation

TimurSadykov
Copy link
Member

Fixes idtoken verifier so that it will not cache empty entries in cases of intermittent problems accessing the keystore

Also, it makes the payload verification protected so child classes can use it separately in case they do signature verification themselves

Fixes #891 ☕️

TimurSadykov and others added 19 commits March 23, 2022 03:16
@TimurSadykov
verifier signature fix port
acb985f
@TimurSadykov
more test cases
1c16f8f
@gcf-owl-bot
🦉 Updates from OwlBot post-processor
872f5f6 
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
@TimurSadykov
fix: more test fixes
70ac584
@gcf-owl-bot
🦉 Updates from OwlBot post-processor
5dde913 
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
@TimurSadykov @suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
5c83d47 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
@gcf-owl-bot
🦉 Updates from OwlBot post-processor
17affb3 
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
@TimurSadykov
fix: restored original interface for verifier, added default http fac…
4d34201 
…tory
@gcf-owl-bot
🦉 Updates from OwlBot post-processor
9611f53 
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
@TimurSadykov @suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
8b55b29 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
@TimurSadykov @suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
813bb20 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
@TimurSadykov
doc fixes
e065d1a
@TimurSadykov
fix: better docs and logging of validation exceptions
1af2370
@gcf-owl-bot
🦉 Updates from OwlBot post-processor
22178ca 
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
@TimurSadykov @suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
c8d01d3 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
@TimurSadykov
nit and linter fixes
aca11aa
@TimurSadykov
Merge remote-tracking branch 'origin/main' into stim-signer
1d668f8
@TimurSadykov
fix: add verify without signature verification, remove caching empty …
6cd7d8c 
…keys
@TimurSadykov
fix: docs for a new method
964c5a8
@TimurSadykov TimurSadykov requested a review from a team as a code owner May 31, 2022 18:22
@product-auto-label product-auto-label bot added the size: m Pull request size is medium. label May 31, 2022
@TimurSadykov TimurSadykov changed the title Stim signer fix: fix IdTokenVerifier so it does not cache empty entries May 31, 2022
@TimurSadykov TimurSadykov mentioned this pull request May 31, 2022
Merged
@chingor13 chingor13 requested a review from Neenu1995 June 1, 2022 00:01
suztomo
suztomo reviewed Jun 1, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
@@ -534,7 +560,7 @@ public Map<String, PublicKey> load(String certificateUrl) throws Exception {
Level.WARNING,
"Failed to get a certificate from certificate location " + certificateUrl,
io);
return ImmutableMap.of();
throw io;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Memo for myself.

Now this throws an exception. With Guava's LoadingCache, the exception surfaces as ExecutionException in publicKeyCache.get in verifySignature method. This verifySignature method wraps it as VerificationException. The verify method catches VerificationException, logs the SEVERE-level message, and returns false.

With this change the LoadingCache now stops caching failure result. A potential problem would be the library users calling the verify method repeatedly in a situation where the certificate location is inaccessible. From the caller's perspective, the result (getting false) remains the same. In that case IdTokenVerifier$PublicKeyLoader logs the warning message. The user can easily tell the problem. This should be fine.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, had similar thoughts on this

@TimurSadykov
Copy link
Member Author

linter failure is expected, known owl-bot issue

@TimurSadykov TimurSadykov merged commit 773b388 into main Jun 2, 2022
@TimurSadykov TimurSadykov deleted the stim-signer branch June 2, 2022 00:08
@release-please release-please bot mentioned this pull request Jun 2, 2022
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Jun 2, 2022
@release-please
chore(main): release 1.34.0 (#894)
1598b5e 
🤖 I have created a release *beep* *boop*
---


## [1.34.0](v1.33.3...v1.34.0) (2022-06-02)


### Features

* add build scripts for native image testing in Java 17 ([#1440](https://github.com/googleapis/google-oauth-java-client/issues/1440)) ([#890](#890)) ([373891e](373891e))
* next release from main branch is 1.34.0 ([#875](#875)) ([187651e](187651e))


### Bug Fixes

* fix IdTokenVerifier so it does not cache empty entries ([#892](#892)) ([773b388](773b388))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@TimurSadykov TimurSadykov mentioned this pull request Jun 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suztomo suztomo suztomo approved these changes

@chingor13 chingor13 Awaiting requested review from chingor13

@Neenu1995 Neenu1995 Awaiting requested review from Neenu1995

Assignees
No one assigned
Labels
size: m Pull request size is medium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failure to refresh public keys causes IdTokenVerifier to fail valid tokens
2 participants
@TimurSadykov @suztomo