search

googleapis / google-auth-library-nodejs

🔑 Google Auth Library for Node.js
Apache License 2.0
1.73k stars 381 forks source link

OAuth2Client verifyIdToken response 403 forbidden using ipv6 #1666

Closed laztheripper closed 1 year ago

laztheripper commented 1 year ago

System:

Ubuntu 20.04
Nodejs v18.17.1
google-auth-library v9.0.0

Problem: Recent versions of nodejs prefer ipv6 DNS resolution, and the OAuth2Client is getting 403: Forbidden from https://www.googleapis.com/oauth2/v1/certs unless ipv6 is disabled on the machine globally, or forced to ipv4 in node. Disabling ipv6 for the entire nodejs process just to get OAuth2Client to work is not ideal.

Repro: On Ubuntu 20.04 having ipv6 properly configured, curl -v https://www.googleapis.com/oauth2/v1/certs Response will be

Your client does not have permission to get URL <code>/oauth2/v1/certs</code> from this server.  <ins>That’s all we know.</ins>

Disable ipv6 for the next test

sudo nano /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sudo sysctl -p

Do it again curl -v https://www.googleapis.com/oauth2/v1/certs

That should work as expected.

Or, in windows open cmd:

curl -6 https://www.googleapis.com/oauth2/v1/certs
curl -4 https://www.googleapis.com/oauth2/v1/certs

-6 will fail, -4 won't.

OAuth2Client needs to make requests using ipv4 resolution, at least for this specific url. Thanks

danielbankhead commented 1 year ago

Thanks for the feedback; this is more of a platform concern rather than this library (as demonstrated via the curl commands). However, you may be able to use --dns-result-order=ipv4first in the command line to resolve this issue without changing OS-level configuration:

danielbankhead commented 1 year ago

Or, in windows open cmd:

curl -6 https://www.googleapis.com/oauth2/v1/certs
curl -4 https://www.googleapis.com/oauth2/v1/certs

-6 will fail, -4 won't.

Actually, curl -6 https://www.googleapis.com/oauth2/v1/certs works (I've verified this locally as well). Perhaps there's another networking issue?

laztheripper commented 1 year ago

Or, in windows open cmd:

curl -6 https://www.googleapis.com/oauth2/v1/certs
curl -4 https://www.googleapis.com/oauth2/v1/certs

-6 will fail, -4 won't.

Actually, curl -6 https://www.googleapis.com/oauth2/v1/certs works (I've verified this locally as well). Perhaps there's another networking issue?

Perhaps, although it is strange because the server and my personal pc aren't on the same ip or region and have the same issue, and I've found dozens of questions/issues on stackoverflow that mention various google apis not being resolved via ipv6.

Thanks for the tip about --dns-result-order=ipv4first however :+1: