Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apigeecli_v1.119_Linux_x86_64 - apigeecli token cache -a fails with Invalid JWT #185

Closed
BrentDorsey opened this issue Apr 5, 2023 · 3 comments
Closed

apigeecli_v1.119_Linux_x86_64 - apigeecli token cache -a fails with Invalid JWT #185

BrentDorsey opened this issue Apr 5, 2023 · 3 comments

Comments

@BrentDorsey
Copy link

Upgrading from v1.118 to v1.119 introduced a bug which is causing the apigeecli token cache command to fail generate and cache a new Google Cloud Platform access token using a service account JSON credentials file.

Workaround - pinning APIGEECLI_VERSION=v1.118 resolved the issue.

LOCAL_ARCH=x86_64
Docker container base image = current-alpine

apigeecli install command used:
curl -L https://raw.githubusercontent.com/apigee/apigeecli/main/downloadLatest.sh | sh -;

error details:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3243  100  3243    0     0  19210      0 --:--:-- --:--:-- --:--:-- 19303
Downloading apigeecli_v1.119 from https://github.com/apigee/apigeecli/releases/download/v1.119/apigeecli_v1.119_Linux_x86_64.zip ...
Archive:  apigeecli_v1.119_Linux_x86_64.zip
  inflating: apigeecli_v1.119_Linux_x86_64/LICENSE.txt
  inflating: apigeecli_v1.119_Linux_x86_64/apigeecli
apigeecli v1.119 Download Complete!
apigeecli has been successfully downloaded into the /tmp/apigeecli.II8dVe folder on your system.
Copied apigeecli into the /root/.apigeecli/bin folder.
Added the apigeecli to your path with:
  export PATH=$PATH:$HOME/.apigeecli/bin 
apigeecli version v1.119, Git: cae66a1a021d9505c018974255b2ba692f[219](https://gitlab.com/yeti-coolers/dev/apigee/cooler-apigee/-/jobs/4067066886#L219)ebd
ERROR: 2023/04/05 14:40:43 token.go:152: status code 400, error in response: {
  "error": "invalid_grant",
  "error_description": "Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token"
}
ERROR: 2023/04/05 14:40:43 token.go:152: status code 400, error in response: {
  "error": "invalid_grant",
  "error_description": "Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token"
}

Screen Shot 2023-04-05 at 10 12 04 AM
@srinandan
Copy link
Collaborator

I tested v1.119 on MacOS and GCP Cloud Shell (Debian) and it worked fine. The main difference between v1.118 and v1.119 is the upgrade the JWT libraries. I want to see how the JWT token is being generated. Can you please set the env variable export APIGEECLI_SKIPLOG=false and re-run the command? I am interested in a log statement that goes like this: jwt token : ey.... In particular I'm interested to see the audience claim. If there is sensitive data in the token, please send it to srinandans at google.

@srinandan
Copy link
Collaborator

Never mind, I reproduced it. Thanks for spotting it.

srinandan added a commit that referenced this issue Apr 5, 2023
@srinandan
flatten the audience #185
f88f07e
@srinandan
Copy link
Collaborator

The behavior of flattening audience changed a bit in the new library. I have created a patch and releasing a beta. Can you please try this release?

srinandan added a commit that referenced this issue Apr 7, 2023
@srinandan
flatten the audience #185 (#186)
fa26a10
srinandan added a commit that referenced this issue Apr 26, 2023
@srinandan
Control logging (#189)
ec56c11 
* add support for truststore #178

* support rate limit to http client #180

* set diff rates for apis #180

* set tab length to 32 #180

* add flag to enable rate limit #180

* set tab length to 32 #180

* flatten the audience #185

* err check before wait #184

* add debug log level

* rework log levels

* gofmt

* maintain backward compat

* write to stderr

* decl tabwriter

* fix test

* add docs for env flags

* set exit code

* control usage and err msgs

* return http errors

* add http error log

* fix log prints

* allow better control for logging #188

* lint #188
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BrentDorsey @srinandan