firebase · hiranya911 · Jul 17, 2018 · Jul 17, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@
 - [added] The Admin SDK can now read the Firebase/GCP project ID from
   both `GCLOUD_PROJECT` and `GOOGLE_CLOUD_PROJECT` environment
   variables.
+- [fixed] Using the default, unauthorized HTTP client to retrieve
+  public keys when verifying ID tokens.
 
 # v3.1.0
 

diff --git a/auth/auth.go b/auth/auth.go
@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 
 	"golang.org/x/net/context"
@@ -128,7 +129,7 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)
 
 	return &Client{
 		is:        is,
-		keySource: newHTTPKeySource(idTokenCertURL, hc),
+		keySource: newHTTPKeySource(idTokenCertURL, http.DefaultClient),
 		projectID: conf.ProjectID,
 		signer:    signer,
 		version:   "Go/Admin/" + conf.Version,

diff --git a/auth/token_verifier.go b/auth/token_verifier.go
@@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"strconv"
@@ -98,6 +99,9 @@ func (k *httpKeySource) refreshKeys(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("invalid response (%d) while retrieving public keys: %s", resp.StatusCode, string(contents))
+	}
 	newKeys, err := parsePublicKeys(contents)
 	if err != nil {
 		return err