Slow response times when obtaining Domain Wide Delegation token and during inbound Authorization header validation

[ianhannaford]

Environment details

• OS: Linux
• Node.js version: v16.20.2
• npm version: 8.19.4
• google-auth-library version: 8.19.4

Obtaining an Domain Wide Delegated Access Token

We have two issues when using the client library when trying to PATCH a subscription. When patching a subscription for a Chat Space we are obtaining a users Domain Wide Delegated token to use as the Authorization header for the PATCH operation.

We are using the GoogleAuth client to obtain the token and during the call to getAccessToken(); it makes a request to the Google endpoint https://www.googleapis.com/oauth2/v4/token

We have been experiencing slow response times when hitting this endpoint as show in the attachments.

const auth = new GoogleAuth({
     "https://www.googleapis.com/auth/chat.memberships https://www.googleapis.com/auth/chat.memberships.app https://www.googleapis.com/auth/chat.messages https://www.googleapis.com/auth/chat.spaces https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
     clientOptions: { subject: [EMAIL] },
     credentials: [GOOGLE_APP_CREDENTIALS],
});

const client = await auth.getClient();

const jwtResponse: GetAccessTokenResponse = await client.getAccessToken();

return jwtResponse.token!;

Header Authorization

We have also noticed slow response times during validation of the JWT Authorization header that is sent as part of the push notification. In the library it makes a call to https://www.googleapis.com/oauth2/v1/certs. Occasionally we have seen slow response times from this request as show in the attachments.

const bearerTokenHeader = req.header('Authorization');

const token = bearerTokenHeader.match(/Bearer (.*)/);

const idToken = token[1];

const client = new OAuth2Client();

const ticket = await client.verifyIdToken({ idToken });

const claim = ticket.getPayload();

[danielbankhead]

We're planning to migrate to newer token endpoints upstream, which may resolve this issue (assuming their aren't any other networking issues, like proxies):

• https://github.com/googleapis/node-gtoken/pull/466

[ianhannaford]

@danielbankhead I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

[danielbankhead]

I see this PR updates the /token endpoint but don’t see any updates to the /cert endpoint?

I've conducted an audit an see that there are a few endpoints in this library that will also need to be updated - I'll take care of this shortly.

[danielbankhead]

I have a PR up to resolve, however it will require us to upgrade to Node 16 (which includes JWK support):

• https://github.com/googleapis/google-auth-library-nodejs/pull/1762

However, we may be able to release the following PR sooner, which may be more helpful as the /token endpoint would be hit far more often than /cert (longer cache time):

• https://github.com/googleapis/node-gtoken/pull/466