Skip to content

Certificate for key id xxxx not found: What could be the possible cause? #316

New issue
New issue
Closed
Closed
Certificate for key id xxxx not found: What could be the possible cause?#316
Assignees
zhengzhong
Labels
externalThis issue is blocked on a bug with the actual product.type: questionRequest for information or clarification. Not an issue.
@zhengzhong

Description

@zhengzhong
zhengzhong
opened on Dec 22, 2018

Hi, I'm maintaining a website and its mobile apps (iOS and Android). For Google Sign-In in mobile app, I'm using google-auth Python package on the server side.

Since about one month ago, I started to receive error reports related to Google Sign-In from the server side. The error message looks like the following:

Certificate for key id 728f4016652079b9ed99861bb09bafc5a45baa86 not found.

The server-side Google Sign-In authentication backend follows this document:

from google.oauth2 import id_token
from google.auth.transport import requests

# ...

try:
    # The following line may raise ValueError with message: Certificate for key id xxxx not found.
    id_info = id_token.verify_oauth2_token(google_id_token, requests.Request())

    if id_info['aud'] not in VALID_CLIENT_IDS:
        logger.error('Invalid aud from Google ID token: %s', id_info['aud'])
        raise ValueError('Unverified audience.')
    # ...
except ValueError as exc:
    logger.error('Fail to verify Google ID token: %s', exc, extra={'request': request})

Diving into the code, I can see that verify_oauth2_token() function is fetching Google public certificates from the URL https://www.googleapis.com/oauth2/v1/certs. It seems that sometimes, for some Google ID token sent from some Android device, the key id cannot be found in that URL.

Here are some other details which might be interesting:

  • It seems that iOS app does not have this kind of issue. From the USER_AGENT header (okhttp/3.11.0), I can see that the error happens only in Android app. And it happens only in some Android device, not all.
  • I was wondering if this happens only for Android phones from China (e.g. if they are connecting
    via a VPN). So I also checked the user IP address. But it turned out that those users were from Europe.
  • Some key id is recurring again and again in the server error logs. For example, the key id aa436c3f63b281ce0d976da0b51a34860ff960eb is seen dozens of times, from November to now.

The website is running on the following environment:

  • OS: Linux (CentOS 7) 64-bit
  • Python version: 3.6.7
  • pip version: 18.1
  • google-auth version: 1.3.0 and 1.6.1

As I could not reproduce this issue either with my iPhone, or with my Android phone (Huawei P20, bought in France), I am completely stuck.

I don't think this is a bug in google-auth package. But I'm wondering if you have ever heard of this error, and what could be the possible cause of it?

Thanks in advance!

Metadata

Metadata

Assignees

Labels

externalThis issue is blocked on a bug with the actual product.type: questionRequest for information or clarification. Not an issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions