JWT::DecodeError, Invalid segment encoding when using access_token

[duongvancuong]

I am using v1.1.1 and am getting such an error message: Authentication failure! Invalid segment encoding: JWT::DecodeError, Invalid segment encoding But it worked fine before I upgraded to this version. So I checked the difference and noticed that. https://github.com/zquestz/omniauth-google-oauth2/blob/master/lib/omniauth/strategies/google_oauth2.rb#L128

When I try to pass the access_token params it will fall on line 128, I get an access_token instance that contains the token which is the access_token that I gave. It will fail at line 75 with the below code. Because maybe only id_token can decode successfully.

So I wish you could consider line 74 so that it can be skipped in case the token is access_token. Thank you!

[zquestz]

Can't you just pass the skip_jwt option?

[duongvancuong]

@zquestz Yes, I can, but I was wondering if using skip_jwt would affect the use case of the verifier above ?

[zquestz]

Yes, skip_jwt should only be used if you are using a token that can't be parsed.

[zquestz]

I can look into handling this case better.

[duongvancuong]

@zquestz Well, currently my application is using both cases where the user can use the verifier by code or use the access_token param. If using skip_jwt with the verifier case is there any problem? because if not skip_jwt then using access_token will show the error message.

[zquestz]

There is literally no way to know if they are using an access_token or id_token within the oauth2 gem... Unfortunately this can't be resolved until there is a way to detect if an access token is an id_token or an access token before the jwt verification step.

When I have the token and decode it, it always shows as an access_token, even when initialized as an id_token....

Unless they fix that upstream, there is nothing that can be done in this gem to improve the process.

[xxx]

I ran into this earlier today when adding a new provider for google sheets, where we need to request a custom scope. In my case, making sure the profile scope is also included resolves it, without the need for skip_jwt.

i.e. scope: 'profile,https://www.googleapis.com/auth/spreadsheets'

[mindtonic]

@xxx Brilliant!

[alexeyr-ci]

There is literally no way to know if they are using an access_token or id_token within the oauth2 gem...

Maybe I don't understand something, but don't you know which it is from https://github.com/zquestz/omniauth-google-oauth2/blob/294bb61b34ade2f80b20ba1ea1d8ceeb752f88d1/lib/omniauth/strategies/google_oauth2.rb#L72? If you got it from access_token.token, it's probably an access token (and you could check if access_token['access_token'] exists just in case); if from access_token['id_token'] it's definitely an ID token.