Invalid issuer. Expected accounts.google.com, received https://accounts.google.com

[blaedj]

I'm running into the error JWT::InvalidIssuerError: Invalid issuer. Expected accounts.google.com, received https://accounts.google.com , is seems that google is sending 'https://accounts.google.com' instead of 'accounts.google.com' as the iss?

Should there be a way to specify the iss to verify? (referencing https://github.com/zquestz/omniauth-google-oauth2/blob/master/lib/omniauth/strategies/google_oauth2.rb#L64 here)

my omniauth.rb file:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider  :google_oauth2, 
            Rails.application.secrets.google_client_id, 
            Rails.application.secrets.google_client_secret,
            {
              :name => "google",
              :scope => "email, profile, https://www.googleapis.com/auth/admin.directory.user.readonly",
              :prompt => "consent",
              :access_type => 'offline'
            }
end

[zquestz]

Seems it is something to do with your custom scope. The default example still returns accounts.google.com. I think the best solution is to make sure iss is configurable to support this odd behavior.

[zquestz]

K did a bunch of testing and google has made it impossible to verify iss correctly as the value changes between accounts.google.com and https://accounts.google.com at random. Even if we could set it, there is no reliable way to know what they will return.

Serious lack of thought on google's behalf.

[soundasleep]

Thank you for the quick fix! <3

Rather than disabling ISS verification completely, could we do something like this (capturing exceptions if necessary)?

success = test_iss("accounts.google.com") || test_iss("https://accounts.google.com")

That way we can at least check it's one that we expect. (I don't know ISS/JWT at all though so not sure if this is feasible)

[zquestz]

Yeah that was originally going to be my approach but double validating the JWT isn't a great idea. Honestly Google doesn't even validate the ISS in their own clients, so I think the current solution is just fine. I am guessing eventually it will only return https://accounts.google.com, and when that happens we can adjust the code to only use that.

[ilgianlu]

Why can't just parse iss as URI and take server part... sort of domain verification.
Just my thought.

From RFC:
The "iss" value is a case-sensitive string containing a StringOrURI value.
Anyway.. I agree with "Serious lack of thought on google's behalf."

[zquestz]

Its not something you can parse, it is passed into JWT.decode as an option. The only other option is to try and decode the JWT token twice for both cases. I wish it was as simple as parsing it. =(

[pior]

@zquestz Can you provide an example of Google clients not validating the iss field?

[pior]

Google has a million docs about their APIs, but at least one specify how to validate this field:

The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com.

https://developers.google.com/identity/sign-in/web/backend-auth

[dark-panda]

Starting with JWT 2.0, you won't need to decode the JWT token twice, as JWT::Verify#verify_iss itself will allow for an array of values to check against. See https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/verify.rb#L44 and the specs at https://github.com/jwt/ruby-jwt/blob/master/spec/jwt/verify_spec.rb#L128 for details. The fix, then, can be changing the :iss option to JWT.decode to

iss: ['accounts.google.com', 'https://'accounts.google.com']

This was changed in jwt/ruby-jwt#210 to allow for this specific case where Google returns multiple iss values.