Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add signature verification to IdTokenVerifier #861

Merged
merged 17 commits into from Apr 13, 2022
Merged

fix: add signature verification to IdTokenVerifier #861

merged 17 commits into from Apr 13, 2022

Conversation

TimurSadykov
Copy link
Member

@TimurSadykov TimurSadykov commented Mar 25, 2022
edited

@TimurSadykov TimurSadykov requested a review from a team as a code owner March 25, 2022 22:41
@suztomo
Copy link
Member

suztomo commented Mar 29, 2022

Lint is failing:

Error:  Found 7 non-complying files, failing build
Error:  To fix formatting errors, run "mvn com.coveo:fmt-maven-plugin:format"
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeResponseUrl.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/StoredCredential.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthGetAccessToken.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/AbstractOAuthGetToken.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthAuthorizeTemporaryTokenUrl.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthGetTemporaryToken.java

suztomo
suztomo reviewed Mar 29, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Member

@suztomo suztomo Mar 29, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you improve the Javadoc that explains the newly-added case?

Creating a new function IdToken.verifySignature() will fit better in the implementation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised the breaking change detector doesn't see adding a checked exception as a breaking change.

It also feels a bit weird to have 2 different mechanisms for indicating an invalid token. In the google-auth-library implementation, we only throw VerificationExceptions (to be able to communicate why it failed). This legacy implementation already is hiding why the token in invalid.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option, in line with Tomo's suggestion is to add a new verifySignature method that throws VerificationException. verify could call verifySignature and catch the exception and return false (to not change the interface)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks, especially the exception :)

suztomo
suztomo reviewed Mar 29, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
...oauth-client/src/test/java/com/google/api/client/auth/openidconnect/IdTokenVerifierTest.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
Comment on lines 478 to 480
jwks = response.parseAs(JsonWebKeySet.class);
} catch (IOException io) {
return ImmutableMap.of();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't show any error or exceptions when the certificate doesn't have the expected format. Is there.a good way to report the problem?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion definitely makes sense, I left it as is since it looks as intentional. I tried to figure out the background for this and it looks like - it is related to LoadingCache implementation, like unable to throw checked exception from runner or throwing RuntimeExceptions etc. My call is to leave this specific one as is to avoid gotchas because:

  1. it does not seem to be a pain point for other library
  2. we want to error on the side of reliability at the moment, we can improve experience later
  3. library is already officially deprecated

@chingor13 are you ok with that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about logging (java.util.logging.Logger) with warn level?

@TimurSadykov TimurSadykov self-assigned this Mar 29, 2022
chingor13
chingor13 requested changes Mar 30, 2022
View reviewed changes
google-oauth-client/pom.xml Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/Environment.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
this.publicKeyCache =
CacheBuilder.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS)
.build(new PublicKeyLoader(builder.httpTransportFactory));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

httpTransportFactory is now required or you'll get a NPE later. We generally prefer to use preconditions to throw the NPE early for required attributes (using guava's Preconditions.checkNotNull)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks, I think here we want to set a default ourselves in case of null, otherwise it is going to be a breaking change

google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised the breaking change detector doesn't see adding a checked exception as a breaking change.

It also feels a bit weird to have 2 different mechanisms for indicating an invalid token. In the google-auth-library implementation, we only throw VerificationExceptions (to be able to communicate why it failed). This legacy implementation already is hiding why the token in invalid.

google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option, in line with Tomo's suggestion is to add a new verifySignature method that throws VerificationException. verify could call verifySignature and catch the exception and return false (to not change the interface)

suztomo
suztomo reviewed Mar 31, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Show resolved Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated Show resolved Hide resolved
@suztomo
Copy link
Member

suztomo commented Mar 31, 2022

The failing lint check is addressed in #863 (merged)

TimurSadykov and others added 2 commits April 11, 2022 18:05
@TimurSadykov @suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
c8d01d3 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
@TimurSadykov
nit and linter fixes
aca11aa
@suztomo
Copy link
Member

suztomo commented Apr 12, 2022

@chingor13 PTAL

@suztomo
Copy link
Member

suztomo commented Apr 12, 2022

Memo: OwlBot reverted the lint fix (#863) in the commit below (right after I merged 863), and now lint is failing in main (So this PR 861 is irrelevant to the lint failure). The lint is not a required check.

b2b2e43

@TimurSadykov TimurSadykov merged commit 22419d6 into main Apr 13, 2022
@TimurSadykov TimurSadykov deleted the stim-signer branch April 13, 2022 18:21
@release-please release-please bot mentioned this pull request Apr 13, 2022
Merged
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 17, 2022
@TimurSadykov @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
461177b 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 18, 2022
@TimurSadykov @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
71db8ca 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 18, 2022
@TimurSadykov @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
3185e87 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
EmpireMyDev
EmpireMyDev reviewed Dec 29, 2022
View reviewed changes
Copy link

@EmpireMyDev EmpireMyDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

@SamHeadrickCx SamHeadrickCx mentioned this pull request Mar 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EmpireMyDev EmpireMyDev EmpireMyDev left review comments

@suztomo suztomo suztomo approved these changes

@chingor13 chingor13 chingor13 approved these changes

@lesv lesv Awaiting requested review from lesv

Assignees

@TimurSadykov TimurSadykov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IdTokenVerifier does not verify the signature of ID Token
4 participants
@TimurSadykov @suztomo @chingor13 @EmpireMyDev