We're recently noticed that a significant number of our users are getting unauthorized request errors and can't communicate with the backend.
We're using Google authentication like so:
String scope = "audience:server:client_id:" + SERVER_CLIENT_ID;
String account = getAnyGoogleAccountFromDevice();
String idToken = GoogleAuthUtil.getToken(context, account, scope);
And on the server side we get Google's certificates from: https://www.googleapis.com/oauth2/v1/certs
and verify the incoming IdToken via the appropriate kid (key IdToken)
However, we see many users sending to the server old kid values, that doesn't currently appear on the Google certificates list, such as:
2d067ddbe81104cefc208b560142c17f1324b625
2307d906764ed4557bab909b5b10b7f457a0964b
9c94eef5e68e95f5fb04cfd0b4e1378dd0daf239
a0eb736e47190f38e9251187676403e09aa8f9f0
2bc0aa0ebafce2ba831a08e64606039a4b126648
b23817bc1a7f6be1b4a75f77f2fb70d814c40ec7
d71bcfbf066fae5cd55d6f2fecea209af47a4407
A quick search for one of these online, seems to suggest these are valid kid values, but stale, I've seen some mentions of them from about a month or two ago.
We call GoogleAuthUtil.getToken right before sending a request to the backend, so this is not cached by us in some way.
Also, I've talked to one user that seem to get this issue, and it appears the client she's using is generating tokens via an old kid value 2d067ddbe81104cefc208b560142c17f1324b625 for quite some time now, the json we get for this token is on the backend is:
{
"header": {
"alg": "RS256",
"kid": "2d067ddbe81104cefc208b560142c17f1324b625"
},
"data": {
"azp": "<redacted>.apps.googleusercontent.com",
"aud": "<redacted>.apps.googleusercontent.com",
"sub": "<redacted>",
"email": "<redacted>",
"email_verified": true,
"iss": "accounts.google.com",
"iat": 1497414898,
"exp": 1497418498
},
"isAuthentic": null,
"isExpired": false
}
you can see the exp timestamp is for June 14, 2017, 2.5 months ago.
Any idea what is going on?