GoogleCredentials.accessToken method is broken due to #942

[jjathman]

Expected Behavior

The GoogleCredentials instance injected by Micronaut should be fully functional and not have API limitations.

Actual Behaviour

Calling googleCredentials.refreshIfExpired() followed by googleCredentials.getAccessToken().getTokenValue() results in a null pointer exception. This worked previously.

Steps To Reproduce

Have a class which has an instance of GoogleCredentials injected by Micronaut GCP. On the injected credentials instance execute this code:

googleCredentials.refreshIfExpired()
googleCredentials.getAccessToken().getTokenValue()

It appears as though this was broken with the change in #942 which added an interceptor around the Google Credentials. The proxied credentials class has a final method getAccessToken which does not get intercepted and causes the NPE at runtime.

Environment Information

No response

Example Application

No response

Version

4.2.0 (Micronaut GCP version 5.3.0)

[turneand]

We have a similar issue, whereby we cast the GoogleCredentials into an IdTokenProvider to permit token access, similar to the intent of the micronaut-gcp-http-client, but allows us to run the application in places other than GCP. However, as of micronaut 4.2.0 this no longer works due to the same aop proxy creation, as not inheriting everything.

String getToken(GoogleCredentials credentials, String audience) throws IOException {
  var idTokenProvider = (IdTokenProvider) credentials;
  return idTokenProvider.idTokenWithAudience(audience, List.of(IdTokenProvider.Option.INCLUDE_EMAIL)).getTokenValue();
}

Although we could get the underlying target, this appears to be using "internal" APIs, so not sure we should:

var target = credentials instanceof InterceptedProxy ? ((InterceptedProxy<?>) credentials).interceptedTarget() : credentials;
var idTokenProvider = (IdTokenProvider) target;

[jjathman]

@turneand that is exactly the kind of code we had before. I think Google's examples show something just like that which is where we got it from.

[jjathman]

@jeremyg484 Would it be possible to make the logging of authentication failures aspect a configurable thing? This is a blocking issue for us to be able to upgrade to Micronaut 4.2.

[jeremyg484]

@jeremyg484 Would it be possible to make the logging of authentication failures aspect a configurable thing? This is a blocking issue for us to be able to upgrade to Micronaut 4.2.

Thanks for the ping, I somehow missed this issue earlier.

Yes, a flag to disable the interceptor should be possible at the very least. I'll try and do that in time for the next release, as well as revisit the implementation to see if these problems can be avoided altogether.

As a workaround, I believe you should be able to set gcp.credentials.enabled=false in your application config, and that will disable the GoogleCredentialsFactory (and thus the AOP interceptor that is bound to it) altogether. You could then supply your own factory to create an un-intercepted instance of GoogleCredentials.

[jjathman]

Thanks for the reply. I think if it's something we will have in the next release we will probably just wait for that versus disabling the credentials factory. Looking forward to it.