-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid issuer. Expected accounts.google.com, received https://accounts.google.com #292
Comments
this would be a workaround for issue zquestz#292. Google's own libraries for oauth don't verify iss, and it seems that they've recently changed the iss to `http://accounts.google.com` from `accounts.google.com`
Seems it is something to do with your custom scope. The default example still returns |
this would be a workaround for issue #292. Google's own libraries for oauth don't verify iss, and it seems that they've recently changed the iss to `http://accounts.google.com` from `accounts.google.com`
K did a bunch of testing and google has made it impossible to verify Serious lack of thought on google's behalf. |
Fixes "Invalid issuer. Expected accounts.google.com, received https://accounts.google.com" error on deploy. See zquestz/omniauth-google-oauth2#292 Also update docs on using webpacker
Thank you for the quick fix! <3 Rather than disabling ISS verification completely, could we do something like this (capturing exceptions if necessary)?
That way we can at least check it's one that we expect. (I don't know ISS/JWT at all though so not sure if this is feasible) |
Yeah that was originally going to be my approach but double validating the JWT isn't a great idea. Honestly Google doesn't even validate the ISS in their own clients, so I think the current solution is just fine. I am guessing eventually it will only return https://accounts.google.com, and when that happens we can adjust the code to only use that. |
Why can't just parse iss as URI and take server part... sort of domain verification. From RFC: |
Its not something you can parse, it is passed into |
@zquestz Can you provide an example of Google clients not validating the |
Google has a million docs about their APIs, but at least one specify how to validate this field:
https://developers.google.com/identity/sign-in/web/backend-auth |
Starting with JWT 2.0, you won't need to decode the JWT token twice, as iss: ['accounts.google.com', 'https://'accounts.google.com'] This was changed in jwt/ruby-jwt#210 to allow for this specific case where Google returns multiple |
I'm running into the error
JWT::InvalidIssuerError: Invalid issuer. Expected accounts.google.com, received https://accounts.google.com
, is seems that google is sending 'https://accounts.google.com' instead of 'accounts.google.com' as theiss
?Should there be a way to specify the
iss
to verify? (referencing https://github.com/zquestz/omniauth-google-oauth2/blob/master/lib/omniauth/strategies/google_oauth2.rb#L64 here)my omniauth.rb file:
The text was updated successfully, but these errors were encountered: