search

GoogleCloudPlatform / go-endpoints

Cloud Endpoints for Go
https://go-endpoints.appspot.com
Apache License 2.0
255 stars 56 forks source link

certExpirationTime always returns 0 #119

Open zboralski opened 8 years ago

zboralski commented 8 years ago 
    if cacheResults {
        expiration := certExpirationTime(resp.Header)
        if expiration > 0 {

certExpirationTime always return 0.

zboralski commented 8 years ago

h.Get("Age") in certExpirationTime always return an empty string and fails to parse.

the Age header isn't set at all in the response :

map[Expires:[Mon, 02 Nov 2015 18:37:57 GMT] Date:[Mon, 02 Nov 2015 12:37:57 GMT] Vary:[Origin,X-Origin] Content-Type:[application/json; charset=UTF-8] Cache-Control:[public, max-age=21600, must-revalidate, no-transform] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN] X-Xss-Protection:[1; mode=block] Server:[GSE]]

It is set correctly though when I use curl : 

curl https://www.googleapis.com/service_accounts/v1/metadata/raw/federated-signon@system.gserviceaccount.com -i|grep ^Age:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   966  100   966    0     0   4144      0 --:--:-- --:--:-- --:--:--  4181
Age: 339
zboralski commented 8 years ago

@campoy I am using the European app engine data centre. I haven't tested on the US one if the Age header is set correctly.

campoy commented 8 years ago

Hey @crhym3,

I'm trying to test this but I'm having issues producing a request with a correct JWT token (using the API explorer I get a token with only two segments, so jwtParser fails)

Do you know how to test this?

Thanks!

x1ddos commented 8 years ago

@campoy that's the weirdest thing. JWT is defined as 3-segment token by the spec. I suspect what you see in the explorer is actually an access token. It's just so happens that Google OAuth2 issues access tokens with a . in it.

I don't see Age header from here, indeed. Something must have changed. We could use cache-control though. I can see it present. They must have swapped age with cache-control at some point :(

x1ddos commented 8 years ago

You should be able to see a real JWT when authenticated in oauth2 playground with email scope. They call it id_token.

x1ddos commented 8 years ago

Also, unrelated to this issue: I think JWT verification in jwtParser could be a good addition to golang.org/x/oauth2/jws.

zboralski commented 8 years ago

@crhym3 I wrote a patch that uses the Expires header. I don't think we can use the Cache-control header if the Age header isn't present.

x1ddos commented 8 years ago

@zboralski it's the same thing. If expires is present, its date must be at "now" + cache-control(max-age).

Try it for yourself with e.g. curl -i https://www.googleapis.com/oauth2/v3/certs.

zboralski commented 8 years ago

@chrym3, look these are the headers : 

cache-control: public, max-age=20960, must-revalidate, no-transform
expires: Tue, 15 Dec 2015 16:05:51 GMT

If we make the request twice... max-age doesn't decrement and expires is still scheduled for 16:05 ... so now + max-age will not be equal to expires. So I would cache the certificate for expires - now... not for now + maxage.

x1ddos commented 8 years ago

When is the second request made w.r.t. the first one. Can you try it after, say 5 min?

On 15 December 2015 at 14:06, Anthony Z. notifications@github.com wrote:

@chrym3, look these are the headers :


expires: Tue, 15 Dec 2015 16:05:51 GMT

If we make the request twice... max-age doesn't decrement and expires is still schedule for 16:05 ... so now + max-age will not be equal to expires. So I would cache the certificate for expires - now... not for now + maxage.

—
Reply to this email directly or view it on GitHub
https://github.com/GoogleCloudPlatform/go-endpoints/issues/119#issuecomment-164774692
.
zboralski commented 8 years ago

@crhym3 it seems to be the date header + maxage ... not now() + maxage.

Here is a series of request sent every minute using curl :

< Expires: Tue, 15 Dec 2015 20:23:05 GMT
< Date: Tue, 15 Dec 2015 14:13:11 GMT
< Cache-Control: public, max-age=22194, must-revalidate, no-transform
< Date: Tue, 15 Dec 2015 14:18:12 GMT
< Expires: Tue, 15 Dec 2015 14:18:12 GMT
< Cache-Control: private, max-age=0
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
< Expires: Tue, 15 Dec 2015 20:52:16 GMT
< Date: Tue, 15 Dec 2015 14:18:42 GMT
< Cache-Control: public, max-age=23614, must-revalidate, no-transform
x1ddos commented 8 years ago

sure, sounds good, but I still think the code should consider all available headers, in case another one will disappear, just like it happened with Age header.

On 15 December 2015 at 14:22, Anthony Z. notifications@github.com wrote:

@crhym3 https://github.com/crhym3 it seems to be the date header + maxage ... not now() + maxage.

Here is a series of request sent every minute using curl :

< Expires: Tue, 15 Dec 2015 20:23:05 GMT < Date: Tue, 15 Dec 2015 14:13:11 GMT < Cache-Control: public, max-age=22194, must-revalidate, no-transform < Date: Tue, 15 Dec 2015 14:18:12 GMT < Expires: Tue, 15 Dec 2015 14:18:12 GMT < Cache-Control: private, max-age=0 < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform < Expires: Tue, 15 Dec 2015 20:52:16 GMT < Date: Tue, 15 Dec 2015 14:18:42 GMT < Cache-Control: public, max-age=23614, must-revalidate, no-transform

— Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/go-endpoints/issues/119#issuecomment-164778767 .