search

apigee / apigeecli

This is a tool to interact with Apigee APIs. The tool lets you manage (create, del, get, list) environments, proxies, etc.
Apache License 2.0
54 stars 31 forks source link

apigeecli_v1.119_Linux_x86_64 - apigeecli token cache -a fails with Invalid JWT #185

Closed BrentDorsey closed 1 year ago

BrentDorsey commented 1 year ago

Upgrading from v1.118 to v1.119 introduced a bug which is causing the apigeecli token cache command to fail generate and cache a new Google Cloud Platform access token using a service account JSON credentials file.

Workaround - pinning APIGEECLI_VERSION=v1.118 resolved the issue.

LOCAL_ARCH=x86_64 Docker container base image = current-alpine

apigeecli install command used: curl -L https://raw.githubusercontent.com/apigee/apigeecli/main/downloadLatest.sh | sh -;

error details:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3243  100  3243    0     0  19210      0 --:--:-- --:--:-- --:--:-- 19303
Downloading apigeecli_v1.119 from https://github.com/apigee/apigeecli/releases/download/v1.119/apigeecli_v1.119_Linux_x86_64.zip ...
Archive:  apigeecli_v1.119_Linux_x86_64.zip
  inflating: apigeecli_v1.119_Linux_x86_64/LICENSE.txt
  inflating: apigeecli_v1.119_Linux_x86_64/apigeecli
apigeecli v1.119 Download Complete!
apigeecli has been successfully downloaded into the /tmp/apigeecli.II8dVe folder on your system.
Copied apigeecli into the /root/.apigeecli/bin folder.
Added the apigeecli to your path with:
  export PATH=$PATH:$HOME/.apigeecli/bin 
apigeecli version v1.119, Git: cae66a1a021d9505c018974255b2ba692f[219](https://gitlab.com/yeti-coolers/dev/apigee/cooler-apigee/-/jobs/4067066886#L219)ebd
ERROR: 2023/04/05 14:40:43 token.go:152: status code 400, error in response: {
  "error": "invalid_grant",
  "error_description": "Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token"
}
ERROR: 2023/04/05 14:40:43 token.go:152: status code 400, error in response: {
  "error": "invalid_grant",
  "error_description": "Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token"
}

Screen Shot 2023-04-05 at 10 12 04 AM

srinandan commented 1 year ago

I tested v1.119 on MacOS and GCP Cloud Shell (Debian) and it worked fine. The main difference between v1.118 and v1.119 is the upgrade the JWT libraries. I want to see how the JWT token is being generated. Can you please set the env variable export APIGEECLI_SKIPLOG=false and re-run the command? I am interested in a log statement that goes like this: jwt token : ey.... In particular I'm interested to see the audience claim. If there is sensitive data in the token, please send it to srinandans at google.

srinandan commented 1 year ago

Never mind, I reproduced it. Thanks for spotting it.

srinandan commented 1 year ago

The behavior of flattening audience changed a bit in the new library. I have created a patch and releasing a beta. Can you please try this release?