No pem found for envelope (wrong 'kid' property match)

[jpike88]

google-auth-library-nodejs/src/auth/oauth2client.ts

Line 1304 in d7893c1

if (!Object.prototype.hasOwnProperty.call(certs, envelope.kid)) {

My code looks like this:

const client = new OAuth2Client(
		'CLIENT_ID_1'
	);
	
const ticket = await client.verifyIdToken({
			idToken: token,
			audience: [
				'CLIENT_ID_1',
				'CLIENT_ID_2',
			],
		});
		const payload = ticket.getPayload();
		return payload.email;

It works well for my iOS and web Google Sign in implementations.
For the android one, it's failing, with error:

No pem found for envelope: {"alg":"RS256","kid":"6f8e1cb15641463c6df0f33394b03c92fcc889ac","typ":"JWT"}

The payload and envelope are separated correctly, it seems there is just the wrong 'kid' matching going on with the certs fetched from getFederatedSignonCertsAsync. How can I fix this?

And this is unlikely related to caching, as I had the same identical problem on local emulator, as well as a physical device, also have the same problem testing in the cloud. All freshly signed into a Google account without ever being signed into it.

[jpike88]

Found the root of the problem

The kid is matching a certificate that isn't provided via the urls in this library, but after looking for other public auth certs google may have, I found the firebase-admin library, which had this url in the code:
https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

However, this library doesn't include those certificates when figuring out which certificate to work with.

@danielbankhead can you explain this? There's this bizarre crossover with google auth and firebase... the library is called googleSignIn in android, this is incredibly confusing and has blown away a lot of my time

[jpike88]

My workaround looks like this now... nasty but it works.

import { OAuth2Client } from 'google-auth-library';
import firebase from 'firebase-admin';

const firebaseClient = firebase.initializeApp({
				credential: {
// firebase credential key
});

// resolve a token to the user email's
export async function deriveEmailFromGoogleToken(
	token: string
): Promise<string> {
	const client = new OAuth2Client(
		'CLIENT_ID_1'
	);
	
	try {
		const ticket = await client.verifyIdToken({
			idToken: token,
			audience: [
				'281074435194-iacdh6vqefvlkg5d39612ovu8qerhj9i.apps.googleusercontent.com',
				'281074435194-fl6i1orvoe8i68u49emmfag840tejtba.apps.googleusercontent.com',
			],
		});
		const result = ticket.getPayload();
		return result.email;
	} catch (error) {
		// google auth library failed, move on
	}

	try {
		const result = await firebaseClient
			.auth()
			.verifyIdToken(token);
		return result.email;
	} catch (error) {
		// move on
	}

	throw new Error('no match for google sign in.');
}

[summer-ji-eng]

@danielbankhead could you take a look at this issue? Many thanks

[danielbankhead]

@jpike88 apologies for the delay; we're working to improve the integration between this library and Firebase - I should have some updates on this and other related issues shortly.