Credential fetching exceptions aren't being handled #474

tscni · 2023-06-19T12:13:30Z

Package name and version: google/gax:1.20.2, google/auth:1.28.0

In CredentialsWrapper, exceptions thrown from google/auth aren't being handled (annotated or converted to ApiException).

Example stack trace:

GuzzleHttp\Exception\ConnectException:
cURL error 7: Failed to connect to oauth2.googleapis.com port 443: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://oauth2.googleapis.com/token

  at /app/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:210
  at GuzzleHttp\Handler\CurlFactory::createRejection()
     (/app/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:158)
  at GuzzleHttp\Handler\CurlFactory::finishError()
     (/app/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:110)
  at GuzzleHttp\Handler\CurlFactory::finish()
     (/app/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php:47)
  at GuzzleHttp\Handler\CurlHandler->__invoke()
     (/app/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php:28)
  at GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}()
     (/app/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php:48)
  at GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}()
     (/app/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php:64)
  at GuzzleHttp\PrepareBodyMiddleware->__invoke()
     (/app/vendor/guzzlehttp/guzzle/src/Middleware.php:31)
  at GuzzleHttp\Middleware::GuzzleHttp\{closure}()
     (/app/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php:71)
  at GuzzleHttp\RedirectMiddleware->__invoke()
     (/app/vendor/guzzlehttp/guzzle/src/Middleware.php:63)
  at GuzzleHttp\Middleware::GuzzleHttp\{closure}()
     (/app/vendor/guzzlehttp/guzzle/src/HandlerStack.php:75)
  at GuzzleHttp\HandlerStack->__invoke()
     (/app/vendor/guzzlehttp/guzzle/src/Client.php:331)
  at GuzzleHttp\Client->transfer()
     (/app/vendor/guzzlehttp/guzzle/src/Client.php:107)
  at GuzzleHttp\Client->sendAsync()
     (/app/vendor/guzzlehttp/guzzle/src/Client.php:123)
  at GuzzleHttp\Client->send()
     (/app/vendor/google/auth/src/HttpHandler/Guzzle6HttpHandler.php:47)
  at Google\Auth\HttpHandler\Guzzle6HttpHandler->__invoke()
     (/app/vendor/google/auth/src/OAuth2.php:566)
  at Google\Auth\OAuth2->fetchAuthToken()
     (/app/vendor/google/auth/src/Credentials/UserRefreshCredentials.php:114)
  at Google\Auth\Credentials\UserRefreshCredentials->fetchAuthToken()
     (/app/vendor/google/auth/src/CredentialsLoader.php:221)
  at Google\Auth\CredentialsLoader->updateMetadata()
     (/app/vendor/google/auth/src/FetchAuthTokenCache.php:229)
  at Google\Auth\FetchAuthTokenCache->updateMetadata()
     (/app/vendor/google/gax/src/CredentialsWrapper.php:216)
  at Google\ApiCore\CredentialsWrapper->Google\ApiCore\{closure}()
  at Grpc\Call->startBatch()
     (/app/vendor/grpc/grpc/src/lib/UnaryCall.php:44)
  at Grpc\UnaryCall->start()
     (/app/vendor/grpc/grpc/src/lib/BaseStub.php:295)
  at Grpc\BaseStub->Grpc\{closure}()
     (/app/vendor/grpc/grpc/src/lib/BaseStub.php:545)
  at Grpc\BaseStub->_simpleRequest()
     (/app/vendor/google/gax/src/Transport/GrpcTransport.php:223)
  at Google\ApiCore\Transport\GrpcTransport->startUnaryCall()
     (/app/vendor/google/gax/src/GapicClientTrait.php:751)
  at Google\Cloud\Retail\V2\Gapic\PredictionServiceGapicClient->Google\ApiCore\{closure}()
     (/app/vendor/google/gax/src/Middleware/CredentialsWrapperMiddleware.php:61)
  at Google\ApiCore\Middleware\CredentialsWrapperMiddleware->__invoke()
     (/app/vendor/google/gax/src/Middleware/FixedHeaderMiddleware.php:69)
  at Google\ApiCore\Middleware\FixedHeaderMiddleware->__invoke()
     (/app/vendor/google/gax/src/Middleware/RetryMiddleware.php:88)
  at Google\ApiCore\Middleware\RetryMiddleware->__invoke()
     (/app/vendor/google/gax/src/Middleware/OptionsFilterMiddleware.php:63)
  at Google\ApiCore\Middleware\OptionsFilterMiddleware->__invoke()
     (/app/vendor/google/gax/src/GapicClientTrait.php:726)
  at Google\Cloud\Retail\V2\Gapic\PredictionServiceGapicClient->startCall()
     (/app/vendor/google/cloud-retail/src/V2/Gapic/PredictionServiceGapicClient.php:352)

The text was updated successfully, but these errors were encountered:

yash30201 · 2023-07-26T09:17:14Z

Hi @tscni, thanks for raising this.

Can you please provide a repro case for this error so that I can try this out at my end?
Also, can you try doing this with latest versions of gax-php and auth and see if the error exists?

tscni · 2023-07-26T14:27:25Z

Sure (I'm using google/cloud-retail as an example here)

Use PHP 8.1 (the version shouldn't matter) + necessary common extensions (like curl)

Create the following files in a new direfctory

composer.json

{
   "require": {
       "google/auth": "1.28.0",
       "google/cloud-retail": "1.4.0",
       "google/gax": "1.21.1"
   }
}

index.php

<?php

use Google\Cloud\Retail\V2\PredictionServiceClient;
use Google\Cloud\Retail\V2\UserEvent;

require __DIR__ . '/vendor/autoload.php';

$client = new PredictionServiceClient([
    'credentials' => [
        'type' => 'authorized_user',
        'client_id' => 'invalid',
        'client_secret' => 'invalid',
        'refresh_token' => 'invalid',
    ],
]);
try {
    $client->predict('placement', new UserEvent());
} catch (Throwable $exception) {
    var_dump($exception->getMessage());
    var_dump(get_class($exception));
}

Run composer install in that directory
Run php index.php

Observe expected (-) vs. actual (+) output

 string(190) "Client error: `POST https://oauth2.googleapis.com/token` resulted in a `401 Unauthorized` response:
 {
   "error": "invalid_client",
   "error_description": "The OAuth client was not found."
 }
 "
-string(27) "Google\ApiCore\ApiException"
+string(36) "GuzzleHttp\Exception\ClientException"

Remove your internet connection
Run php index.php

Observe expected (-) vs. actual (+) output

 string(156) "cURL error 6: Could not resolve host: oauth2.googleapis.com (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) 
 for https://oauth2.googleapis.com/token"
-string(27) "Google\ApiCore\ApiException"
+string(37) "GuzzleHttp\Exception\ConnectException"

yash30201 · 2023-07-27T08:46:17Z

Thanks for more info.

What's happening here is that error is being thrown from auth library as part of the GRPC Transport when it's trying to fetch the auth token. Doing so, it will always use HTTP (hence REST).

Exceptions are wrapped as ApiCore\ApiException so that they don't differ with transport (GRPC or REST). But since auth calls are always HTTP and they don't change based on transport so they are not wrapped.

It's not intuitive but it's still Working as Intended.

yash30201 self-assigned this Jul 26, 2023

yash30201 added needs more info This issue needs more information from the customer to proceed. priority: p3 Desirable enhancement or fix. May not be included in next release. labels Jul 26, 2023

tscni mentioned this issue Jul 27, 2023

Some service client calls are throwing exceptions that aren't annotated googleapis/google-cloud-php#6498

Open

yash30201 closed this as completed Jul 31, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Credential fetching exceptions aren't being handled #474

Credential fetching exceptions aren't being handled #474

tscni commented Jun 19, 2023

yash30201 commented Jul 26, 2023

tscni commented Jul 26, 2023 •

edited

yash30201 commented Jul 27, 2023

Credential fetching exceptions aren't being handled #474

Credential fetching exceptions aren't being handled #474

Comments

tscni commented Jun 19, 2023

yash30201 commented Jul 26, 2023

tscni commented Jul 26, 2023 • edited

yash30201 commented Jul 27, 2023

tscni commented Jul 26, 2023 •

edited