Requests attempt fails when it is trying to verify a token with TransportError

[francbartoli]

Does a quite old version of Requests library matter?

Describe your environment

• Operating System version: CentOS 7
• Firebase SDK version: 2.9.0
• Library version: _____
• Firebase Product: auth

Describe the problem

The problem is described here

Steps to reproduce:

user = firebase_decode_handler(key)
  File "/home/gis/development/python/apps/gee-bridge/rest_auth_firebase/firebase_sdkadm.py", line 15, in firebase_decode_handler
    decoded_token = auth.verify_id_token(id_token, check_revoked=True)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/firebase_admin/auth.py", line 104, in verify_id_token
    verified_claims = token_generator.verify_id_token(id_token)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/firebase_admin/auth.py", line 838, in verify_id_token
    audience=project_id)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/google/oauth2/id_token.py", line 159, in verify_firebase_token
    id_token, request, audience=audience, certs_url=_GOOGLE_APIS_CERTS_URL)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/google/oauth2/id_token.py", line 120, in verify_token
    certs = _fetch_certs(request, certs_url)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/google/oauth2/id_token.py", line 94, in _fetch_certs
    response = request(certs_url, method='GET')
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/google/auth/transport/requests.py", line 124, in __call__
    six.raise_from(new_exc, caught_exc)
  File "/home/gis/.local/share/virtualenvs/gee-bridge-u7zdh93C/lib/python2.7/site-packages/six.py", line 737, in raise_from
    raise value
TransportError: HTTPSConnectionPool(host='www.googleapis.com', port=443): Max retries exceeded with url: /robot/v1/metadata/x509/securetoken@system.gserviceaccount.com (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fd35de70650>: Failed to establish a new connection: [Errno 11] Resource temporarily unavailable',))

Relevant Code:

def firebase_decode_handler(id_token):
    decoded_token = auth.verify_id_token(id_token, check_revoked=True)
    uid = decoded_token['uid']
    logger.debug("User={0}".format(uid))
    return uid

[hiranya911]

I don't quite understand. Are you implying that you're using a too old version of requests? Admin SDK uses requests>=2.13.0, so it will typically install the latest version of requests along with firebase_admin.

[francbartoli]

@hiranya911 you are right. Requests is the latest so I don't know why that is happening. If I understand well there shouldn't be any limitation on the number of requests for the verification of a token

[hiranya911]

The above error has nothing to do with exceeding a quota. It's a low-level network error -- possibly a Firewall issue or something of the sorts. Is this something that happens all the time, or only occasionally?

[francbartoli]

It doesn’t happen all the time but actually always if a user with a valid token has performed the same request repeatedly and the routine above checks if it is expired. The issue seems to be related with token verification imho.

[hiranya911]

Try sending some GET requests to https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com from your Python environment (use the requests library), and see how that works out. The verify_id_token() calls the above URL to download public key certificates, which is what's failing in your case.

[hiranya911]

You should also try with the latest release of the SDK (2.10.0), which caches public key certificates thereby avoiding calling the above URL on each invocation of verify_id_token().

[francbartoli]

That's cool and likely one good reason to upgrade the SDK. Give a try and I'll let you know. Thanks @hiranya911

[francbartoli]

Upgrading to latest with cache looks good. Issue disappeared