Open RadekDvorak opened 5 years ago
Hi RadekDvorak, as far as I understood it is up to you where you want to place the fetchPublic keys method. If you don't place it in the init() of your app but instead for example in the http handler you will solve this issue. This way you will fetch the keys every time a request comes in (to minimise traffic caching could be an option but not necessary)
Hi filip-sc,
thank you for the advice. However I do not have my app, I am not a go developer, I use gcp-iap-auth to validate signatures with nginx. Even if this issue is left open, at least it serves as an warning for people using the proxy the way I do.
Can confirm, you just saved me a lot of time :-)
Sorry for the delay @RadekDvorak . I think the one possible approach here is to periodically reload whatever public keys were supplied (from file or URL).
@RadekDvorak Just for my reference how much time does it take from startup to error?
Hi @imkira ,
I recall the issue happened once a month on average. I left the project, I can not get the exact numbers anymore.
Based on the discussion here, the key expiration may be infrequent, but IAP engineer suggested refresh the keyfile on lookup failure
approach. This shouldn't be a significant source of load compared to doing it on every HTTP request as suggested by @filip-sc above. It will also be much more reliable than only doing it in init().
Can we get this merged?
Looks like @imkira 's suggestion of reloading periodically is a better idea.
curl -I https://www.gstatic.com/iap/verify/public_key-jwk
HTTP/2 200
accept-ranges: bytes
content-security-policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cloud-gatekeeper-team
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="cloud-gatekeeper-team"
report-to: {"group":"cloud-gatekeeper-team","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cloud-gatekeeper-team"}]}
content-length: 1352
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Fri, 28 Jul 2023 16:33:46 GMT
expires: Fri, 28 Jul 2023 17:23:46 GMT
cache-control: public, max-age=3000
last-modified: Fri, 28 Jul 2023 13:40:55 GMT
content-type: application/json
vary: Accept-Encoding
age: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
The expires
and cache-control
response headers indicate the key should only be cached for 50min.
Hi,
my instance of gcp-iap-proxy stopped working. All authentications failed and log was full of
Failed to authenticate "user@domain.tld" (No public key for "2nMJtw")
. Restart solved the issue.I guess that public keys are loaded once when process starts. If Google changes them, restart is necessary.