Certificate for key id xxxx not found: What could be the possible cause?

See original GitHub issue

Hi, I’m maintaining a website and its mobile apps (iOS and Android). For Google Sign-In in mobile app, I’m using google-auth Python package on the server side.

Since about one month ago, I started to receive error reports related to Google Sign-In from the server side. The error message looks like the following:

Certificate for key id 728f4016652079b9ed99861bb09bafc5a45baa86 not found.

The server-side Google Sign-In authentication backend follows this document:

from google.oauth2 import id_token
from google.auth.transport import requests

# ...

try:
    # The following line may raise ValueError with message: Certificate for key id xxxx not found.
    id_info = id_token.verify_oauth2_token(google_id_token, requests.Request())

    if id_info['aud'] not in VALID_CLIENT_IDS:
        logger.error('Invalid aud from Google ID token: %s', id_info['aud'])
        raise ValueError('Unverified audience.')
    # ...
except ValueError as exc:
    logger.error('Fail to verify Google ID token: %s', exc, extra={'request': request})

Diving into the code, I can see that verify_oauth2_token() function is fetching Google public certificates from the URL https://www.googleapis.com/oauth2/v1/certs. It seems that sometimes, for some Google ID token sent from some Android device, the key id cannot be found in that URL.

Here are some other details which might be interesting:

It seems that iOS app does not have this kind of issue. From the USER_AGENT header (okhttp/3.11.0), I can see that the error happens only in Android app. And it happens only in some Android device, not all.
I was wondering if this happens only for Android phones from China (e.g. if they are connecting via a VPN). So I also checked the user IP address. But it turned out that those users were from Europe.
Some key id is recurring again and again in the server error logs. For example, the key id aa436c3f63b281ce0d976da0b51a34860ff960eb is seen dozens of times, from November to now.

The website is running on the following environment:

OS: Linux (CentOS 7) 64-bit
Python version: 3.6.7
pip version: 18.1
google-auth version: 1.3.0 and 1.6.1

As I could not reproduce this issue either with my iPhone, or with my Android phone (Huawei P20, bought in France), I am completely stuck.

I don’t think this is a bug in google-auth package. But I’m wondering if you have ever heard of this error, and what could be the possible cause of it?

Thanks in advance!

Issue Analytics

State:
Created 5 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

4reactions

jverkoeycommented, Aug 3, 2020

I ran into this issue just now as well, but the root cause was that I was using id_token.verify_oauth2_token instead of id_token.verify_firebase_token to verify a firebase-generated token.

0reactions

zhengzhongcommented, Jan 9, 2020

Hi. I’d like to let you know that the issue is resolved. This library has nothing wrong. The issue was due to the fact that on Android device, I may get an expired ID token if the user has already signed in and I did not force to log him/her out. I explained the cause and posted the fix (in my Android app) here: https://stackoverflow.com/a/56742836/808898

I’ll close this issue. Thanks for your help!