No pem found for envelope (wrong 'kid' property match) #1418
Comments
|
Found the root of the problem The kid is matching a certificate that isn't provided via the urls in this library, but after looking for other public auth certs google may have, I found the firebase-admin library, which had this url in the code: However, this library doesn't include those certificates when figuring out which certificate to work with. @danielbankhead can you explain this? There's this bizarre crossover with google auth and firebase... the library is called googleSignIn in android, this is incredibly confusing and has blown away a lot of my time |
|
My workaround looks like this now... nasty but it works. import { OAuth2Client } from 'google-auth-library';
import firebase from 'firebase-admin';
const firebaseClient = firebase.initializeApp({
credential: {
// firebase credential key
});
// resolve a token to the user email's
export async function deriveEmailFromGoogleToken(
token: string
): Promise<string> {
const client = new OAuth2Client(
'CLIENT_ID_1'
);
try {
const ticket = await client.verifyIdToken({
idToken: token,
audience: [
'281074435194-iacdh6vqefvlkg5d39612ovu8qerhj9i.apps.googleusercontent.com',
'281074435194-fl6i1orvoe8i68u49emmfag840tejtba.apps.googleusercontent.com',
],
});
const result = ticket.getPayload();
return result.email;
} catch (error) {
// google auth library failed, move on
}
try {
const result = await firebaseClient
.auth()
.verifyIdToken(token);
return result.email;
} catch (error) {
// move on
}
throw new Error('no match for google sign in.');
} |
summer-ji-eng
added
priority: p2
summer-ji-eng
removed
the
priority: p2
|
@danielbankhead could you take a look at this issue? Many thanks |
danielbankhead
added
the
priority: p2
…move configs to Node 12 (googleapis#1418) (googleapis#1395) * build: make ci testing conditional on engines field in package.json, move configs to Node 12 Co-authored-by: Benjamin E. Coe <bencoe@google.com> Source-Link: googleapis/synthtool@2800f5a Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest@sha256:dc7bfb4c4bf50496abbdd24bd9e4aaa833dc75248c0a9e3a7f807feda5258873 Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Benjamin E. Coe <bencoe@google.com>
|
@jpike88 apologies for the delay; we're working to improve the integration between this library and Firebase - I should have some updates on this and other related issues shortly. |
danielbankhead
added
type: feature request
|
Sorry for asking again, but any progress? The issue still persists |
|
@himanshu-incedo Hey! As of recent weeks, we're actively working on it internally with the Firebase team. |
|
A quick update on this ticket: We're still actively working on it, more updates to follow. |
|
Sorry for asking again but is there any updates? |
|
@ByBogon, no problem; we've completed integration preparation in this library - the Firebase team should have some public updates shortly (within a month or so) |
|
@danielbankhead |
|
@ByBogon sure thing, Firebase requires custom transporter interface and previously we didn’t have a flexible, uniform way to customize it until this larger refactor: |
|
@danielbankhead Thank you for sharing! can't wait to update its version. |
|
Current WIP to resolve this: |
google-auth-library-nodejs/src/auth/oauth2client.ts
Line 1304 in d7893c1
My code looks like this:
It works well for my iOS and web Google Sign in implementations.
For the android one, it's failing, with error:
No pem found for envelope: {"alg":"RS256","kid":"6f8e1cb15641463c6df0f33394b03c92fcc889ac","typ":"JWT"}The payload and envelope are separated correctly, it seems there is just the wrong 'kid' matching going on with the certs fetched from
getFederatedSignonCertsAsync. How can I fix this?And this is unlikely related to caching, as I had the same identical problem on local emulator, as well as a physical device, also have the same problem testing in the cloud. All freshly signed into a Google account without ever being signed into it.
The text was updated successfully, but these errors were encountered: