Use "https://accounts.google.com" as issuer to validate JWT tokens#17
Use "https://accounts.google.com" as issuer to validate JWT tokens#17tangiel merged 3 commits intocloudendpoints:masterfrom
Conversation
Current coverage is 80.44% (diff: 75.00%)@@ master #17 diff @@
==========================================
Files 155 155
Lines 5009 5012 +3
Methods 0 0
Messages 0 0
Branches 842 842
==========================================
+ Hits 4030 4032 +2
Misses 716 716
- Partials 263 264 +1
|
|
I believe JWTs with "accounts.google.com" are still being issued and this change will break them. Possible solutions would be:
Do you have a preference? @tangiel |
…lt issuers for JWT tokens
|
Indeed, according to the documentation, both issuers can be used: I submitted a new change that should support both issuers, but I'm not sure it would be enough. |
lookuptable
left a comment
lookuptable
left a comment
There was a problem hiding this comment.
thank you for contributing. Just one minor comment.
| Constant.GOOGLE_ID_TOKEN_NAME, "accounts.google.com", | ||
| "https://www.googleapis.com/oauth2/v1/certs"); | ||
| public static final IssuerConfig GOOGLE_ID_TOKEN_ISSUER_ALT = new IssuerConfig( | ||
| Constant.GOOGLE_ID_TOKEN_NAME + "_alt", "https://accounts.google.com", |
There was a problem hiding this comment.
Can we define another constant in Constant.java instead of doing string concatenation everywhere?
Also I'd prefer to suffixing it with "_https" instead of "_alt" to be more explicit.
4 participants
All the JWT tokens issued by Google currently have https://accounts.google.com as their issuer.
Below is an example of a JWT token generated today using the OAuth2 playground.
It seems like the issuer has been changing back and forth from "accounts.google.com" to "https://accounts.google.com" recently (see my comment on this post)
This change switches back to https://accounts.google.com as the issuer, it fixes the endpoints v2 backend sample.