Open zboralski opened 8 years ago
h.Get("Age")
in certExpirationTime always return an empty string and fails to parse.
the Age header isn't set at all in the response :
map[Expires:[Mon, 02 Nov 2015 18:37:57 GMT] Date:[Mon, 02 Nov 2015 12:37:57 GMT] Vary:[Origin,X-Origin] Content-Type:[application/json; charset=UTF-8] Cache-Control:[public, max-age=21600, must-revalidate, no-transform] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN] X-Xss-Protection:[1; mode=block] Server:[GSE]]
It is set correctly though when I use curl :
curl https://www.googleapis.com/service_accounts/v1/metadata/raw/federated-signon@system.gserviceaccount.com -i|grep ^Age:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 966 100 966 0 0 4144 0 --:--:-- --:--:-- --:--:-- 4181
Age: 339
@campoy I am using the European app engine data centre. I haven't tested on the US one if the Age header is set correctly.
Hey @crhym3,
I'm trying to test this but I'm having issues producing a request with a correct JWT token (using the API explorer I get a token with only two segments, so jwtParser fails)
Do you know how to test this?
Thanks!
@campoy that's the weirdest thing. JWT is defined as 3-segment token by the spec. I suspect what you see in the explorer is actually an access token. It's just so happens that Google OAuth2 issues access tokens with a .
in it.
I don't see Age
header from here, indeed. Something must have changed. We could use cache-control
though. I can see it present. They must have swapped age
with cache-control
at some point :(
You should be able to see a real JWT when authenticated in oauth2 playground with email
scope. They call it id_token
.
Also, unrelated to this issue: I think JWT verification in jwtParser could be a good addition to golang.org/x/oauth2/jws.
@crhym3 I wrote a patch that uses the Expires header. I don't think we can use the Cache-control header if the Age header isn't present.
@zboralski it's the same thing. If expires
is present, its date must be at "now" + cache-control(max-age)
.
Try it for yourself with e.g. curl -i https://www.googleapis.com/oauth2/v3/certs
.
@chrym3, look these are the headers :
cache-control: public, max-age=20960, must-revalidate, no-transform
expires: Tue, 15 Dec 2015 16:05:51 GMT
If we make the request twice... max-age doesn't decrement and expires is still scheduled for 16:05 ... so now + max-age will not be equal to expires. So I would cache the certificate for expires - now... not for now + maxage.
When is the second request made w.r.t. the first one. Can you try it after, say 5 min?
On 15 December 2015 at 14:06, Anthony Z. notifications@github.com wrote:
@chrym3, look these are the headers :
expires: Tue, 15 Dec 2015 16:05:51 GMT If we make the request twice... max-age doesn't decrement and expires is still schedule for 16:05 ... so now + max-age will not be equal to expires. So I would cache the certificate for expires - now... not for now + maxage. — Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/go-endpoints/issues/119#issuecomment-164774692 .
@crhym3 it seems to be the date header + maxage ... not now() + maxage.
Here is a series of request sent every minute using curl :
< Expires: Tue, 15 Dec 2015 20:23:05 GMT
< Date: Tue, 15 Dec 2015 14:13:11 GMT
< Cache-Control: public, max-age=22194, must-revalidate, no-transform
< Date: Tue, 15 Dec 2015 14:18:12 GMT
< Expires: Tue, 15 Dec 2015 14:18:12 GMT
< Cache-Control: private, max-age=0
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
sure, sounds good, but I still think the code should consider all available headers, in case another one will disappear, just like it happened with Age header.
On 15 December 2015 at 14:22, Anthony Z. notifications@github.com wrote:
@crhym3 https://github.com/crhym3 it seems to be the date header + maxage ... not now() + maxage.
Here is a series of request sent every minute using curl :
< Expires: Tue, 15 Dec 2015 20:23:05 GMT < Date: Tue, 15 Dec 2015 14:13:11 GMT < Cache-Control: public, max-age=22194, must-revalidate, no-transform < Date: Tue, 15 Dec 2015 14:18:12 GMT < Expires: Tue, 15 Dec 2015 14:18:12 GMT < Cache-Control: private, max-age=0 < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform
— Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/go-endpoints/issues/119#issuecomment-164778767 .
certExpirationTime always return 0.