Gitkit Java client library - Trouble verifying token signature: Invalid audience

问题

We're struggling with an issue during the token verification. We have the following exception:

java.security.SignatureException: Invalid audience: xxx-platform. Should be: 787384428332-32charsofidxxxxxxxx.apps.googleusercontent.com
    at com.google.identitytoolkit.JsonTokenHelper$AudienceChecker.check(JsonTokenHelper.java:67)
    at net.oauth.jsontoken.JsonTokenParser.verify(JsonTokenParser.java:156)
    at net.oauth.jsontoken.JsonTokenParser.verify(JsonTokenParser.java:103)
    at net.oauth.jsontoken.JsonTokenParser.verifyAndDeserialize(JsonTokenParser.java:116)
    at com.google.identitytoolkit.JsonTokenHelper.verifyAndDeserialize(JsonTokenHelper.java:46)
    at com.google.identitytoolkit.GitkitClient.validateToken(GitkitClient.java:126)
    at com.google.identitytoolkit.GitkitClient.validateTokenInRequest(GitkitClient.java:154)
    at com.some.package.user.GitKitUserService.getGitkitUserFromRequest(GitKitUserService.groovy:25)

We have checked many times the gitkit-server-config.json file, he seems to correct and points to a valid .p12 file. The p12 is correctly found and opened (since we have a FileNotFoundException when we remove it, or parsing error when we alter it...) but the validation fails because of a null verifier... Here it is:

    {
    "clientId": "707385568332-32charsofidxxxxxxxx.apps.googleusercontent.com",
    "projectId": "xxx-platform",
    "serviceAccountEmail": "xxx@xxx-platform.iam.gserviceaccount.com",
    "serviceAccountPrivateKeyFile": "/an/existing/path/xxx-platform-44d0379d237c.p12",
    "widgetUrl": "https://example.com/authentication/authenticate",
    "cookieName": "gtoken"
    }

Of course we can provide any additional information that might be required, we're really stuck with this issue!

Thank in advance for any clue!

回答1:

I'll just share my experience from setting up earlier today incase it can help you:

                        String token = cookie.getValue();

                        try {
                            GitkitClient gitkitClient = GitkitClient.newBuilder()
                                    .setGoogleClientId("206268081687-u5mg1cl3teeeo635vrsuj8uotdi7meqq.apps.googleusercontent.com")
                                    //.setGoogleClientId("effortless-edge-119904")
                                    .setServiceAccountEmail("tables@effortless-edge-119904.iam.gserviceaccount.com")
                                    .setCookieName("gtoken")
                                    .setWidgetUrl("http://localhost:8080/gitkit")
                                    .setKeyStream(new ClassPathResource("tables-8271416a8e0c.p12").getInputStream()).build();

                            GitkitUser gitkitUser = gitkitClient.validateToken(token);

Gives me

java.security.SignatureException: Gitkit token audience(effortless-edge-119904) 
doesn't match projectId or clientId in server configuration

This works:

                        try {
                            GitkitClient gitkitClient = GitkitClient.newBuilder()
                                    .setGoogleClientId("effortless-edge-119904")
                                    .setServiceAccountEmail("tables@effortless-edge-119904.iam.gserviceaccount.com")
                                    .setCookieName("gtoken")
                                    .setWidgetUrl("http://localhost:8080/gitkit")
                                    .setKeyStream(new ClassPathResource("tables-8271416a8e0c.p12").getInputStream()).build();

                            GitkitUser gitkitUser = gitkitClient.validateToken(token);
                                                    logger.info("Validated gitkit token");

回答2:

I think DFB's answer is correct.

But we don't recommend hard-coded json config in Java code. There's a static method called createFromJson you can use to read json file and then initialize GitkitClient.

We'll also need to update the README in identity-toolkit-java-client. Thanks for your question.

回答3:

I was getting the same error and stumbled upon this thread. I was using gitclient-1.2.3.jar. I updated it to gitkitclient-1.2.5.jar (latest) and the problem went away.

UPDATE: I'm adding the code snippet below. I'm setting both setGoogleClientId and setProjectId as shown in the sample https://github.com/google/identity-toolkit-java-client/blob/master/src/main/java/com/google/identitytoolkit/GitkitClient.java

GitkitClient gitkitClient = new GitkitClient.Builder()  
    .setGoogleClientId("654028407702-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com")  
    .setProjectId("my-project")  
    .setServiceAccountEmail("my-project@my-project.iam.gserviceaccount.com")  
    .setKeyStream(context.getResourceAsStream("/WEB-INF/identity/my-project-xxxxxxxxxxxx.p12"))  
    .setWidgetUrl("https://my-project.appspot.com/oauth2callback")  
    .setCookieName("gToken")  
    .setServerApiKey("AIzaSyAxQ7z5Dxxxxxxxxxxxxxx-xxxxxxxx")  
    .build();

回答4:

I had a look at the gitkitclient.js source code and both projectId and clientId are added to the same audiences array.

After more tests I found out that you must only put the project ID ('my-project-name') in the gitkit-server-config.json file. The nasty thing is that if you add it with a 'clientId' property name it is also working...

As far as I can see, the client ID (like 654028407702-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com) can be removed.

来源：https://stackoverflow.com/questions/34948889/gitkit-java-client-library-trouble-verifying-token-signature-invalid-audience