New _GOOGLE_OAUTH2_CERTS_URL incompatible with certificate resolution code in google/auth/jwt.py #443
Description
Steps to reproduce
- Try to resolve any valid id_token with
certs_url='https://www.googleapis.com/oauth2/v3/certs'--
>>> from google.oauth2 import id_token
>>> id_token._GOOGLE_OAUTH2_CERTS_URL
'https://www.googleapis.com/oauth2/v3/certs'
>>> from google.auth.transport import requests
>>> auth_token = "<valid_token>"
>>> id_token.verify_oauth2_token(auth_token, requests.Request())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/oauth2/id_token.py", line 141, in verify_oauth2_token
id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/oauth2/id_token.py", line 123, in verify_token
return jwt.decode(id_token, certs=certs, audience=audience)
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/auth/jwt.py", line 226, in decode
raise ValueError("Certificate for key id {} not found.".format(key_id))
ValueError: Certificate for key id 762fa637af953590db8bb8a636bf11d4360abc98 not found.
Using the old certs URL works:
>>> id_token.verify_token(auth_token, requests.Request(), audience=None, certs_url="https://www.googleapis.com/oauth2/v1/certs")
{...JWT payload...}
It appears that the issue is here:
https://github.com/googleapis/google-auth-library-python/blob/master/google/auth/jwt.py#L222
if isinstance(certs, Mapping):
key_id = header.get("kid")
if key_id:
if key_id not in certs:
raise ValueError("Certificate for key id {} not found.".format(key_id))
certs_to_check = [certs[key_id]]where it is expecting the structure of the old cert payload:
{
"762fa637af953590db8bb8a636bf11d4360abc98": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIcXdDbfgaVLEwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0yMDAyMTAwNDI5MzBaFw0yMDAyMjYxNjQ0MzBaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI5KsUjQhL+tmOfX5EZ0q3iHKfaqem1A7+\nY10oLoDWF9nwye6ysljp02NZ0giTlSX9HCTOOU26TuPPkIS1ipszDsExo08N8vhI\n7sBIEyPvK7KSm029wyejmW+Bg/9iIgAMnu19KdfLtcC/w/jRwtrQaSJcFtwiDpfj\ncx09Cr9yya4w8H6obWDs+r3JsC53YFJt6prfJgKEEAY3GTrONBeX1XudlZ8gT6AL\nI3W7jswUolUcZaDmK9yb0TeXlwpYb78IZ/bb2HqzwhWN9Gk8lNjm61Oug67Wavqr\n7lENBZXUaZatIJN0RcK0Wx0yzJuGLVng9zt7i2YK6/qZbr5oY+NvAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCkfqr/zEB5pxGVUYBcsc+LLSFjdVIs\nIb5IpBGulccTAT5t1/K0Sbpr6/Bgoopbwp+vZ/w6tCZ+pKqG+fpbU8uIXwbTrrsl\nAcGTwPrZ4t3HoR39q1R2smV8nfdjo7acisQUhL39qVZLe2AXDADZ35Ih/ZRzTBK1\ny9BJ0HhXziyqiwvl196jdBsHjeMlPTetgr2i0BNfWtJZpK0n4BYtP6fw2KDiiX1M\nGYP4rDacnnBJLqA2uTaQ5tV170PRZRbgTcu8zFSnzyJOjDJy/BQ1hKea86EZJyvx\nMB+ZmGiaupEoEuW9lTOAMkhDiMTVzxsQ/hMV/8prILAahMZAPJFk+Yn7\n-----END CERTIFICATE-----\n",
"d8efea1f66e87bb36c2ea09d837338bdd810353b": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIA1PM71I9gHUwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0yMDAyMDIwNDI5MzBaFw0yMDAyMTgxNjQ0MzBaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3r6hVJVlFGWCicrvWVrY9ykWK22z30nDs\naJIKzFam6rE0mOy7HQ+425BavKcMHup1O4QNGyatdhJ6YhdyqqadaQz9Q/MWSnsJ\nbQXKv6MscRFfOTnk5TBzpfjWGOAmoFicbBYt4zdPJmYSWI9gAlAhHT20AE/B+jRp\nYWJVI9a0et/AltxSdf32L1i0Ht9jCamjj8RIRzArCPXTCkAx7fd18/nUC6U5PC/5\ngLa8uPDbmH3TIeH2uLqfs34wbmWCpy6n/WDxQYoPkqktM0lqzh84GCZqMeKz6Jbp\nQLcraGOB6tMX93tU1fpWd0GNDI/P2JGnNDfBBlYaGeDnRLFLr4tdAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQALWk+nEuDemE5a4k3cjTMN5WPfYM9+\n3nxV519bMTWOK9o2Ikg0TcKgkLekOMVRlbWTjTlkPPInVOaC3aUGjgiysZlglnn/\ncFZoR36lfsvYx6Xhc548eH99S4vu6lbnVsnFmIWwEQ5Nr8j8bBzz/6v2/daLKr3Z\nhwmIWft2tYInymesINdtWpjXgu7Y8eu076swJqn+VCccZJveYY0i4VB9Px/YQbBx\nVcUhptYCjICc6bPI9Cvl52Ud80//+PcddlkZ+OqcmDB49eHyKVCJc94PfUsn1AXj\nssFFFBMmy0pEF8h1tVbVo9eXCHZzAijwoYXZu7SWJKh9+cU2GvradID6\n-----END CERTIFICATE-----\n"
}
vs
{
"keys": [
{
"e": "AQAB",
"kty": "RSA",
"alg": "RS256",
"n": "t6-oVSVZRRlgonK71la2PcpFitts99Jw7GiSCsxWpuqxNJjsux0PuNuQWrynDB7qdTuEDRsmrXYSemIXcqqmnWkM_UPzFkp7CW0Fyr-jLHERXzk55OUwc6X41hjgJqBYnGwWLeM3TyZmEliPYAJQIR09tABPwfo0aWFiVSPWtHrfwJbcUnX99i9YtB7fYwmpo4_ESEcwKwj10wpAMe33dfP51AulOTwv-YC2vLjw25h90yHh9ri6n7N-MG5lgqcup_1g8UGKD5KpLTNJas4fOBgmajHis-iW6UC3K2hjgerTF_d7VNX6VndBjQyPz9iRpzQ3wQZWGhng50SxS6-LXQ",
"use": "sig",
"kid": "d8efea1f66e87bb36c2ea09d837338bdd810353b"
},
{
"kid": "762fa637af953590db8bb8a636bf11d4360abc98",
"e": "AQAB",
"kty": "RSA",
"alg": "RS256",
"n": "yOSrFI0IS_rZjn1-RGdKt4hyn2qnptQO_mNdKC6A1hfZ8MnusrJY6dNjWdIIk5Ul_RwkzjlNuk7jz5CEtYqbMw7BMaNPDfL4SO7ASBMj7yuykptNvcMno5lvgYP_YiIADJ7tfSnXy7XAv8P40cLa0GkiXBbcIg6X43MdPQq_csmuMPB-qG1g7Pq9ybAud2BSbeqa3yYChBAGNxk6zjQXl9V7nZWfIE-gCyN1u47MFKJVHGWg5ivcm9E3l5cKWG-_CGf229h6s8IVjfRpPJTY5utTroOu1mr6q-5RDQWV1GmWrSCTdEXCtFsdMsybhi1Z4Pc7e4tmCuv6mW6-aGPjbw",
"use": "sig"
}
]
}Looks like this was introduced in #365.
(apologies for the edit -- submitted before I meant to)