Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Slow response times when obtaining Domain Wide Delegation token and during inbound Authorization header validation #1756

Open
ianhannaford opened this issue Feb 9, 2024 · 4 comments · May be fixed by #1762
Open

Slow response times when obtaining Domain Wide Delegation token and during inbound Authorization header validation #1756

ianhannaford opened this issue Feb 9, 2024 · 4 comments · May be fixed by #1762
Assignees
@danielbankhead
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. status: blocked Resolving the issue is dependent on other work. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@ianhannaford
Copy link

Environment details

  • OS: Linux
  • Node.js version: v16.20.2
  • npm version: 8.19.4
  • google-auth-library version: 8.19.4

Obtaining an Domain Wide Delegated Access Token

We have two issues when using the client library when trying to PATCH a subscription. When patching a subscription for a Chat Space we are obtaining a users Domain Wide Delegated token to use as the Authorization header for the PATCH operation.

We are using the GoogleAuth client to obtain the token and during the call to getAccessToken(); it makes a request to the Google endpoint https://www.googleapis.com/oauth2/v4/token

We have been experiencing slow response times when hitting this endpoint as show in the attachments.

image

const auth = new GoogleAuth({
     "https://www.googleapis.com/auth/chat.memberships https://www.googleapis.com/auth/chat.memberships.app https://www.googleapis.com/auth/chat.messages https://www.googleapis.com/auth/chat.spaces https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
     clientOptions: { subject: [EMAIL] },
     credentials: [GOOGLE_APP_CREDENTIALS],
});

const client = await auth.getClient();

const jwtResponse: GetAccessTokenResponse = await client.getAccessToken();

return jwtResponse.token!;
Header Authorization

We have also noticed slow response times during validation of the JWT Authorization header that is sent as part of the push notification. In the library it makes a call to https://www.googleapis.com/oauth2/v1/certs. Occasionally we have seen slow response times from this request as show in the attachments.

image

const bearerTokenHeader = req.header('Authorization');

const token = bearerTokenHeader.match(/Bearer (.*)/);

const idToken = token[1];
			
const client = new OAuth2Client();

const ticket = await client.verifyIdToken({ idToken });

const claim = ticket.getPayload();
@ianhannaford ianhannaford added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Feb 9, 2024
@danielbankhead
Copy link
Member

We're planning to migrate to newer token endpoints upstream, which may resolve this issue (assuming their aren't any other networking issues, like proxies):

@ianhannaford
Copy link
Author

@danielbankhead I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

@danielbankhead
Copy link
Member

I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

I've conducted an audit an see that there are a few endpoints in this library that will also need to be updated - I'll take care of this shortly.

This was referenced Feb 27, 2024
Closed
Open
@danielbankhead danielbankhead added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. priority: p2 Moderately-important priority. Fix may not be included in next release. status: blocked Resolving the issue is dependent on other work. and removed priority: p2 Moderately-important priority. Fix may not be included in next release. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Feb 27, 2024
@danielbankhead
Copy link
Member

I have a PR up to resolve, however it will require us to upgrade to Node 16 (which includes JWK support):

However, we may be able to release the following PR sooner, which may be more helpful as the /token endpoint would be hit far more often than /cert (longer cache time):

This was referenced Feb 29, 2024
Closed
Closed
This was referenced Apr 8, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielbankhead danielbankhead

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. status: blocked Resolving the issue is dependent on other work. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix!: Update OAuth2Client Endpoints to JWT Versions googleapis/google-auth-library-nodejs
2 participants
@danielbankhead @ianhannaford