Error: Invalid TokenServiceAccount seeing ID token but not access token

[muxspace]

Cannot authenticate service account

I am trying to authenticate a service account. This worked last week but now is failing. I traced it to the returned token from Google, which doesn't include an access token, so a NULL is being returned.

Note that I'm trying to create a package to connect with StackDriver logging based on the auto API generator provided by same author.

Steps to reproduce the problem

library(googleAuthR)
options(googleAuthR.scopes.selected = c('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/logging.admin', 'https://www.googleapis.com/auth/logging.read', 'https://www.googleapis.com/auth/logging.write', 'https://www.googleapis.com/auth/logging.views.access'))

gar_auth_service(json_path)

The json_path holds a JSON file containing the JSON key downloaded from GCP Service Account page.

Expected output

Successful authentication

Actual output

> options(googleAuthR.verbose=2)
> gar_auth_service(json_path)
Error: Invalid TokenServiceAccount

When I debug credentials_service_account, and subsequently token <- httr::oauth_service_token(endpoint = gargle_oauth_endpoint(), secrets = info, scope = scopes, sub = subject), I see that the OAuth response contains an ID token but not an access token.

Browse[2]> token <- credentials_service_account(scopes = scope, path = json_file)
debugging in: credentials_service_account(scopes = scope, path = json_file)
debug: {
...
Browse[4]> token
<Token>
<oauth_endpoint>
 authorize: https://accounts.google.com/o/oauth2/v2/auth
 access:    https://oauth2.googleapis.com/token
 validate:  https://oauth2.googleapis.com/tokeninfo
 revoke:    https://oauth2.googleapis.com/revoke
NULL
<credentials> id_token

This is failing because httr appears to only look for an access token.

debug: if (is.null(token$credentials$access_token) || !nzchar(token$credentials$access_token)) {
    NULL
} else {
    gargle_debug("service account email: {.email {token_email(token)}}")
    token
}

I'm wondering if you've seen a change in the way Google's APIs are handling these authentication requests?

Session Info

> sessionInfo()
R version 4.2.2 (2022-10-31)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 22.04.1 LTS

Matrix products: default
BLAS:   /usr/lib/x86_64-linux-gnu/blas/libblas.so.3.10.0
LAPACK: /usr/lib/x86_64-linux-gnu/lapack/liblapack.so.3.10.0

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] futile.stackdriver_0.0.1 googleAuthR_2.0.0       

loaded via a namespace (and not attached):
 [1] digest_0.6.30    assertthat_0.2.1 R6_2.5.1         jsonlite_1.8.3  
 [5] httr_1.4.4       rlang_1.0.6      cachem_1.0.6     cli_3.4.1       
 [9] curl_4.3.3       fs_1.6.0         tools_4.2.2      glue_1.6.2      
[13] fastmap_1.1.0    compiler_4.2.2   askpass_1.1      gargle_1.2.1    
[17] memoise_2.0.1    openssl_2.0.4

[muxspace]

Is there a way to specify in the auth request that an OAuth access token is desired, instead of an OpenID Connect ID token?

[MarkEdmondson1234]

The auto library is 6 years old, are you generating a new package first? The gar_discovery functions do that. Using the old version probably won't work I guess.

Have you also looked at the gargle library which is a more modern take?

[MarkEdmondson1234]

Check out also https://github.com/samterfa/googlePackageMaker

[muxspace]

Hi @MarkEdmondson1234 yes I saw the package is six years old. I'm still using some packages I wrote over 10 years ago, so I figured why not :laughing:

At any rate, I did create a package and almost got it working. I'll take a look at the other packages you mention and see if I can get those working. Many thanks!

[MarkEdmondson1234]

Great you made progress. The generator functions should update with latest api changes, and are intended to be run each time you need them, rather than rely on the generation from a while back.