Skip to content

fix: add signature verification to IdTokenVerifier#861

Merged
TimurSadykov merged 17 commits intomainfrom
stim-signer
Apr 13, 2022
Merged

fix: add signature verification to IdTokenVerifier#861
TimurSadykov merged 17 commits intomainfrom
stim-signer

Conversation

@TimurSadykov
Copy link

@TimurSadykov TimurSadykov commented Mar 25, 2022
edited
Loading

@TimurSadykov TimurSadykov requested a review from a team as a code owner March 25, 2022 22:41
suztomo
suztomo reviewed Mar 29, 2022
View reviewed changes
@suztomo
Copy link
Member

suztomo commented Mar 29, 2022

Lint is failing:

Error:  Found 7 non-complying files, failing build
Error:  To fix formatting errors, run "mvn com.coveo:fmt-maven-plugin:format"
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeResponseUrl.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/StoredCredential.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthGetAccessToken.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/AbstractOAuthGetToken.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthAuthorizeTemporaryTokenUrl.java
Error:  Non complying file: /home/runner/work/google-oauth-java-client/google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthGetTemporaryToken.java

suztomo
suztomo reviewed Mar 29, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Member

@suztomo suztomo Mar 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you improve the Javadoc that explains the newly-added case?

Creating a new function IdToken.verifySignature() will fit better in the implementation.

Copy link
Contributor

@chingor13 chingor13 Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised the breaking change detector doesn't see adding a checked exception as a breaking change.

It also feels a bit weird to have 2 different mechanisms for indicating an invalid token. In the google-auth-library implementation, we only throw VerificationExceptions (to be able to communicate why it failed). This legacy implementation already is hiding why the token in invalid.

Copy link
Contributor

@chingor13 chingor13 Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option, in line with Tomo's suggestion is to add a new verifySignature method that throws VerificationException. verify could call verifySignature and catch the exception and return false (to not change the interface)

Copy link
Author

@TimurSadykov TimurSadykov Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks, especially the exception :)

suztomo
suztomo reviewed Mar 29, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
Comment on lines 478 to 480
jwks = response.parseAs(JsonWebKeySet.class);
} catch (IOException io) {
return ImmutableMap.of();
Copy link
Member

@suztomo suztomo Mar 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't show any error or exceptions when the certificate doesn't have the expected format. Is there.a good way to report the problem?

Copy link
Author

@TimurSadykov TimurSadykov Mar 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion definitely makes sense, I left it as is since it looks as intentional. I tried to figure out the background for this and it looks like - it is related to LoadingCache implementation, like unable to throw checked exception from runner or throwing RuntimeExceptions etc. My call is to leave this specific one as is to avoid gotchas because:

  1. it does not seem to be a pain point for other library
  2. we want to error on the side of reliability at the moment, we can improve experience later
  3. library is already officially deprecated

@chingor13 are you ok with that?

Copy link
Member

@suztomo suztomo Mar 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about logging (java.util.logging.Logger) with warn level?

@TimurSadykov TimurSadykov self-assigned this Mar 29, 2022
chingor13
chingor13 requested changes Mar 30, 2022
View reviewed changes
google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
this.publicKeyCache =
CacheBuilder.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS)
.build(new PublicKeyLoader(builder.httpTransportFactory));
Copy link
Contributor

@chingor13 chingor13 Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

httpTransportFactory is now required or you'll get a NPE later. We generally prefer to use preconditions to throw the NPE early for required attributes (using guava's Preconditions.checkNotNull)

Copy link
Author

@TimurSadykov TimurSadykov Mar 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks, I think here we want to set a default ourselves in case of null, otherwise it is going to be a breaking change

google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Contributor

@chingor13 chingor13 Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised the breaking change detector doesn't see adding a checked exception as a breaking change.

It also feels a bit weird to have 2 different mechanisms for indicating an invalid token. In the google-auth-library implementation, we only throw VerificationExceptions (to be able to communicate why it failed). This legacy implementation already is hiding why the token in invalid.

google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java Outdated
return (issuers == null || idToken.verifyIssuer(issuers))
&& (audience == null || idToken.verifyAudience(audience))
&& idToken.verifyTime(clock.currentTimeMillis(), acceptableTimeSkewSeconds);
public boolean verify(IdToken idToken) throws VerificationException {
Copy link
Contributor

@chingor13 chingor13 Mar 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option, in line with Tomo's suggestion is to add a new verifySignature method that throws VerificationException. verify could call verifySignature and catch the exception and return false (to not change the interface)

suztomo
suztomo reviewed Mar 31, 2022
View reviewed changes
@suztomo
Copy link
Member

suztomo commented Mar 31, 2022

The failing lint check is addressed in #863 (merged)

suztomo
suztomo reviewed Apr 4, 2022
View reviewed changes
Timur Sadykov and others added 2 commits April 11, 2022 18:05
@suztomo
Update google-oauth-client/src/main/java/com/google/api/client/auth/o…
c8d01d3 
…penidconnect/IdTokenVerifier.java

Co-authored-by: Tomo Suzuki <suztomo@google.com>
nit and linter fixes
aca11aa
@suztomo
Copy link
Member

suztomo commented Apr 12, 2022

@chingor13 PTAL

@suztomo
Copy link
Member

suztomo commented Apr 12, 2022

Memo: OwlBot reverted the lint fix (#863) in the commit below (right after I merged 863), and now lint is failing in main (So this PR 861 is irrelevant to the lint failure). The lint is not a required check.

b2b2e43

@TimurSadykov TimurSadykov merged commit 22419d6 into main Apr 13, 2022
@TimurSadykov TimurSadykov deleted the stim-signer branch April 13, 2022 18:21
@release-please release-please bot mentioned this pull request Apr 13, 2022
Merged
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 17, 2022
@suztomo @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
461177b 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 18, 2022
@suztomo @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
71db8ca 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
grgrzybek pushed a commit to jboss-fuse/google-oauth-java-client that referenced this pull request May 18, 2022
@suztomo @grgrzybek
[ENTESB-18995] fix: add signature verification to IdTokenVerifier (go…
3185e87 
…ogleapis#861)

* previously missing signature validation ported from google-auth-library-java
* test cases

Co-authored-by: Tomo Suzuki <suztomo@google.com>
(cherry picked from commit 22419d6)
EmpireMyDev
EmpireMyDev reviewed Dec 29, 2022
View reviewed changes
Copy link

@EmpireMyDev EmpireMyDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

@cx-sam-headrick cx-sam-headrick mentioned this pull request Mar 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@suztomo suztomo suztomo approved these changes

@chingor13 chingor13 chingor13 approved these changes

@lesv lesv Awaiting requested review from lesv

+1 more reviewer

@EmpireMyDev EmpireMyDev EmpireMyDev left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@TimurSadykov TimurSadykov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IdTokenVerifier does not verify the signature of ID Token

4 participants

@TimurSadykov @suztomo @chingor13 @EmpireMyDev