Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ComputeEngineCredentials.createScoped copies existing AccessToken #1387

Closed
erlendnils1 opened this issue Apr 29, 2024 · 6 comments · Fixed by #1428
Closed

ComputeEngineCredentials.createScoped copies existing AccessToken #1387

erlendnils1 opened this issue Apr 29, 2024 · 6 comments · Fixed by #1428
Assignees
@zhumin8
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@erlendnils1
Copy link

erlendnils1 commented Apr 29, 2024
edited
Loading

After upgrading com.google.oauth-client from v1.21.0 to 1.23.0 we started getting 403 ACCESS_TOKEN_SCOPE_INSUFFICIENT errors from the PlayIntegrity.decodeIntegrityToken service. This was the case until the initial AccessToken expired after which it started working again.

We obtained the credentials used (through a HttpCredentialsAdapter) to access the PlayIntegrity service in this way:

var scopedCredentials = GoogleCredentials.getApplicationDefault().createScoped(PlayIntegrityScopes.all());

The cause of the changed behavior appears to be from this commit:
7e26861
which changes the ComputeEngineCredentials.createScope implementation to copy a lot more state from the original ComputeEngineCredentials object to the new, scoped ComputeEngineCredentials object. This includes copying the AccessToken from the original, which does not seem like the desired behaviour when the scopes are updated.

We have added an immediate refresh after creating the scoped credentials to make sure we get a new access token with the correct scope. This has solved the issue for us, but I assume this may be a gotcha that affects more users.

Workaround:

var scopedCredentials = GoogleCredentials.getApplicationDefault().createScoped(PlayIntegrityScopes.all());
scopedCredentials.refresh();
@clundin25 clundin25 added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p2 Moderately-important priority. Fix may not be included in next release. labels Apr 29, 2024
@roma2341
Copy link

roma2341 commented Jun 15, 2024
edited
Loading

In google-auth-library-oauth2-http 1.19.0 i also got ACCESS_TOKEN_SCOPE_INSUFFICIENT randomly, I will try to use your fix and update library to latest version.
What is interesting is that delegatedCredential.getAccessToken() gave me null just after credential creation. But sometimes it returns an AccessToken object. is It ok ? How about calling refreshIfExpired() ? Will it help ?

@zhumin8 zhumin8 self-assigned this Jun 20, 2024
@zhumin8
Copy link
Contributor

zhumin8 commented Jun 27, 2024

In google-auth-library-oauth2-http 1.19.0 i also got ACCESS_TOKEN_SCOPE_INSUFFICIENT randomly, I will try to use your fix and update library to latest version. What is interesting is that delegatedCredential.getAccessToken() gave me null just after credential creation. But sometimes it returns an AccessToken object. is It ok ? How about calling refreshIfExpired() ? Will it help ?

Did the workaround above worked for your case? and do you mind clarifying what credential class you are using for delegatedCredential you mentioned above, is it also ComputeEngineCredentials?

@zhumin8 zhumin8 mentioned this issue Jul 3, 2024
Merged
@roma2341
Copy link

roma2341 commented Jul 5, 2024

In google-auth-library-oauth2-http 1.19.0 i also got ACCESS_TOKEN_SCOPE_INSUFFICIENT randomly, I will try to use your fix and update library to latest version. What is interesting is that delegatedCredential.getAccessToken() gave me null just after credential creation. But sometimes it returns an AccessToken object. is It ok ? How about calling refreshIfExpired() ? Will it help ?

Did the workaround above worked for your case? and do you mind clarifying what credential class you are using for delegatedCredential you mentioned above, is it also ComputeEngineCredentials?

Yes , my issue was resolved after I added .refresh()

I had something like:

var delegatedCredentials = adminCredential
                .createDelegated(email)
                .createScoped(GOOGLE_AUTH_USER_SCOPES);

And I had ACCESS_TOKEN_SCOPE_INSUFFICIENT error frequently when uses these credentials
But after I added these line errors now not reappear:
delegatedCredential.refresh();

I still don't understand why I have to do it each time I create delegated credentials, I thought that google libraries code automatically refreshes tokens when necessary... this solution looks like a dirty hack.

@zhumin8
Copy link
Contributor

zhumin8 commented Jul 11, 2024

@roma2341 Thanks for confirming the workaround.
This is not expected behavior and you should expect it to be fixed soon.

@lqiu96 lqiu96 mentioned this issue Aug 29, 2024
Merged
@turcsanyip
Copy link

@zhumin8 Thanks for fixing it! We ran into the same issue recently and I can confirm that our use case is working again with commit 079a065. Do you have an expected release date for the fix? Thanks

@zhumin8
Copy link
Contributor

zhumin8 commented Sep 3, 2024

@turcsanyip Thanks for testing this out.
We are most like cutting a release later this week, we are working on another fix that we want to include in the same release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhumin8 zhumin8

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
5 participants
@zhumin8 @roma2341 @erlendnils1 @turcsanyip @clundin25