Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Invalid TokenServiceAccount seeing ID token but not access token #224

Open
muxspace opened this issue Jan 30, 2023 · 5 comments
Open

Error: Invalid TokenServiceAccount seeing ID token but not access token #224

muxspace opened this issue Jan 30, 2023 · 5 comments

Comments

@muxspace
Copy link

muxspace commented Jan 30, 2023
edited
Loading

Cannot authenticate service account

I am trying to authenticate a service account. This worked last week but now is failing. I traced it to the returned token from Google, which doesn't include an access token, so a NULL is being returned.

Note that I'm trying to create a package to connect with StackDriver logging based on the auto API generator provided by same author.

Steps to reproduce the problem

library(googleAuthR)
options(googleAuthR.scopes.selected = c('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/logging.admin', 'https://www.googleapis.com/auth/logging.read', 'https://www.googleapis.com/auth/logging.write', 'https://www.googleapis.com/auth/logging.views.access'))

gar_auth_service(json_path)

The json_path holds a JSON file containing the JSON key downloaded from GCP Service Account page.

Expected output

Successful authentication

Actual output

> options(googleAuthR.verbose=2)
> gar_auth_service(json_path)
Error: Invalid TokenServiceAccount

When I debug credentials_service_account, and subsequently token <- httr::oauth_service_token(endpoint = gargle_oauth_endpoint(), secrets = info, scope = scopes, sub = subject), I see that the OAuth response contains an ID token but not an access token.

Browse[2]> token <- credentials_service_account(scopes = scope, path = json_file)
debugging in: credentials_service_account(scopes = scope, path = json_file)
debug: {
...
Browse[4]> token
<Token>
<oauth_endpoint>
 authorize: https://accounts.google.com/o/oauth2/v2/auth
 access:    https://oauth2.googleapis.com/token
 validate:  https://oauth2.googleapis.com/tokeninfo
 revoke:    https://oauth2.googleapis.com/revoke
NULL
<credentials> id_token

This is failing because httr appears to only look for an access token.

debug: if (is.null(token$credentials$access_token) || !nzchar(token$credentials$access_token)) {
    NULL
} else {
    gargle_debug("service account email: {.email {token_email(token)}}")
    token
}

I'm wondering if you've seen a change in the way Google's APIs are handling these authentication requests?

Session Info

> sessionInfo()
R version 4.2.2 (2022-10-31)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 22.04.1 LTS

Matrix products: default
BLAS:   /usr/lib/x86_64-linux-gnu/blas/libblas.so.3.10.0
LAPACK: /usr/lib/x86_64-linux-gnu/lapack/liblapack.so.3.10.0

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] futile.stackdriver_0.0.1 googleAuthR_2.0.0       

loaded via a namespace (and not attached):
 [1] digest_0.6.30    assertthat_0.2.1 R6_2.5.1         jsonlite_1.8.3  
 [5] httr_1.4.4       rlang_1.0.6      cachem_1.0.6     cli_3.4.1       
 [9] curl_4.3.3       fs_1.6.0         tools_4.2.2      glue_1.6.2      
[13] fastmap_1.1.0    compiler_4.2.2   askpass_1.1      gargle_1.2.1    
[17] memoise_2.0.1    openssl_2.0.4
@muxspace
Copy link
Author

Is there a way to specify in the auth request that an OAuth access token is desired, instead of an OpenID Connect ID token?

@MarkEdmondson1234
Copy link
Owner

The auto library is 6 years old, are you generating a new package first? The gar_discovery functions do that. Using the old version probably won't work I guess.

Have you also looked at the gargle library which is a more modern take?

@MarkEdmondson1234
Copy link
Owner

Check out also https://github.com/samterfa/googlePackageMaker

@muxspace
Copy link
Author

Hi @MarkEdmondson1234 yes I saw the package is six years old. I'm still using some packages I wrote over 10 years ago, so I figured why not 😆

At any rate, I did create a package and almost got it working. I'll take a look at the other packages you mention and see if I can get those working. Many thanks!

@MarkEdmondson1234
Copy link
Owner

Great you made progress. The generator functions should update with latest api changes, and are intended to be run each time you need them, rather than rely on the generation from a while back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@muxspace @MarkEdmondson1234