google.parse_openid() sometimes can't parse JWK

[johannespostler]

I'm using oauth2 with Google as the provider in a flask app and everything works fine (authlib 0.7). However, after a few days, the oauth2 callback from google can not be read any more and the following error is produced:

[2018-05-02 07:05:48,173] ERROR in app: Exception on /oauth2callback [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/app/ms.py", line 209, in authorized
user = google.parse_openid(token)
File "/usr/local/lib/python3.5/dist-packages/authlib/client/apps/_google.py", line 33, in parse_openid
claims_params=claims_params,
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7519/jwt.py", line 95, in decode
data = self.deserialize_compact(s, _wrap_key(key))
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7515/jws.py", line 95, in deserialize_compact
algorithm, key = self._prepare_algorithm_key(header, payload, key)
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7515/jws.py", line 276, in _prepare_algorithm_key
key = key(header, payload)
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7519/jwt.py", line 123, in key_func
return _load_jwk(key, header)
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7519/jwt.py", line 111, in _load_jwk
return jwk.loads(key, header.get('kid'))
File "/usr/local/lib/python3.5/dist-packages/authlib/specs/rfc7517/jwk.py", line 54, in loads
raise ValueError('Invalid JWK format')
ValueError: Invalid JWK format

The callback-URL google redirected to, was the following (tokens changed):

https://myserver/oauth2callback?state=sjyizeyuwnyGtk8LeNi1M7k8LrBycoOTIeizOfC&code=4/AABVzpc4cbxwLowSprM90y6GOgmou2VpLHdBPcmMGfazaoei0kaSZUgR9Haz-jzXooLRu0_gpBPOrORzYi8qQ5o&authuser=0&hd=mydomain.com&session_state=aa96e41144175e48151746b9df23609fcc985905..97cb&prompt=none#

It seems like authlib is struggling to parse the answer from google for some reason.

[lepture]

@johannespostler Thanks for your report. It seems Google's JWK set will change from time to time. This is certainly a bug in Authlib, but it won't be fixed soon since client/apps are deprecated. I encourage you to use https://github.com/authlib/loginpass instead of client/apps. But if you don't want to add another dependency, you can make your own RemoteApp.

Check this commit for inspiration: authlib/loginpass@9230fc0

[johannespostler]

Hi lepture,
Thanks for the quick reply! I saw a few days ago that this is deprecated and indeed I intend to switch over to loginpass. It seems the comment you referenced is fixing this issue?
cheers

[lepture]

@johannespostler yes. I didn't know that Google will change JWK set.