search

googleapis / google-api-java-client

Google APIs Client Library for Java
Apache License 2.0
1.34k stars 695 forks source link

Google backend authenticate failure, base64 decoding fails at GoogleIdTokenVerifier.verify #1529

Open melvzgungog214 opened 4 years ago

melvzgungog214 commented 4 years ago

Environment details

  1. OS type and version: MACOS Catalina
  2. Java version: openjdk version "1.8.0_242"
  3. google-api-client version(s): 1.30.9
  4. play-1.4.6

Steps to reproduce

  1. Follow steps in https://developers.google.com/identity/sign-in/web/backend-auth
  2. On backend: GoogleIdToken idToken = verifier.verify(idtoken); cause issue

Code example

      if (StringUtils.isNotBlank(idtoken) && idtoken != null) {
            GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new NetHttpTransport(), new JacksonFactory())
                    .setAudience(Collections.singletonList(GOOGLE_CLIENT_ID))
                    .build();

            try {
                GoogleIdToken idToken = verifier.verify(idtoken);

                if (idToken != null) {
                    Payload payload = idToken.getPayload();

                    String userId = payload.getSubject();
                    logger.debug("User ID: " + userId);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }

Stack trace verifier.verify(idtoken) up to BaseEncoding.class:

public final byte[] decode(CharSequence chars)

Remote debugger shows: "java.lang.IllegalArgumentException: java.io.IOException: Unrecognized character: -"

External references such as API reference guides https://developers.google.com/identity/sign-in/web/backend-auth

Any additional information below At play CLI debugger I took token id and used it in https://oauth2.googleapis.com/tokeninfo?id_token

It showed decoded access token with all correct information.

bgolson2309 commented 3 years ago

Is there a workaround, or recommended version to revert to?

chingor13 commented 3 years ago

You may need to verify that the token you are validating is actually an ID token (it will be a JWT which can be decoded - an example decoder is https://jwt.io/).

You might also want to try the newer, supported version in com.google.auth:google-auth-library: https://cloud.google.com/iap/docs/signed-headers-howto#iap_validate_jwt-java