New _GOOGLE_OAUTH2_CERTS_URL incompatible with certificate resolution code in google/auth/jwt.py

[sidoh]

Steps to reproduce

1. Try to resolve any valid id_token with certs_url='https://www.googleapis.com/oauth2/v3/certs' --

>>> from google.oauth2 import id_token
>>> id_token._GOOGLE_OAUTH2_CERTS_URL
'https://www.googleapis.com/oauth2/v3/certs'
>>> from google.auth.transport import requests
>>> auth_token = "<valid_token>"
>>> id_token.verify_oauth2_token(auth_token, requests.Request())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/oauth2/id_token.py", line 141, in verify_oauth2_token
    id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/oauth2/id_token.py", line 123, in verify_token
    return jwt.decode(id_token, certs=certs, audience=audience)
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/google/auth/jwt.py", line 226, in decode
    raise ValueError("Certificate for key id {} not found.".format(key_id))
ValueError: Certificate for key id 762fa637af953590db8bb8a636bf11d4360abc98 not found.

Using the old certs URL works:

>>> id_token.verify_token(auth_token, requests.Request(), audience=None, certs_url="https://www.googleapis.com/oauth2/v1/certs")
{...JWT payload...}

It appears that the issue is here:

https://github.com/googleapis/google-auth-library-python/blob/master/google/auth/jwt.py#L222

    if isinstance(certs, Mapping):
        key_id = header.get("kid")
        if key_id:
            if key_id not in certs:
                raise ValueError("Certificate for key id {} not found.".format(key_id))
            certs_to_check = [certs[key_id]]

where it is expecting the structure of the old cert payload:

{
  "762fa637af953590db8bb8a636bf11d4360abc98": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIcXdDbfgaVLEwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0yMDAyMTAwNDI5MzBaFw0yMDAyMjYxNjQ0MzBaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI5KsUjQhL+tmOfX5EZ0q3iHKfaqem1A7+\nY10oLoDWF9nwye6ysljp02NZ0giTlSX9HCTOOU26TuPPkIS1ipszDsExo08N8vhI\n7sBIEyPvK7KSm029wyejmW+Bg/9iIgAMnu19KdfLtcC/w/jRwtrQaSJcFtwiDpfj\ncx09Cr9yya4w8H6obWDs+r3JsC53YFJt6prfJgKEEAY3GTrONBeX1XudlZ8gT6AL\nI3W7jswUolUcZaDmK9yb0TeXlwpYb78IZ/bb2HqzwhWN9Gk8lNjm61Oug67Wavqr\n7lENBZXUaZatIJN0RcK0Wx0yzJuGLVng9zt7i2YK6/qZbr5oY+NvAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCkfqr/zEB5pxGVUYBcsc+LLSFjdVIs\nIb5IpBGulccTAT5t1/K0Sbpr6/Bgoopbwp+vZ/w6tCZ+pKqG+fpbU8uIXwbTrrsl\nAcGTwPrZ4t3HoR39q1R2smV8nfdjo7acisQUhL39qVZLe2AXDADZ35Ih/ZRzTBK1\ny9BJ0HhXziyqiwvl196jdBsHjeMlPTetgr2i0BNfWtJZpK0n4BYtP6fw2KDiiX1M\nGYP4rDacnnBJLqA2uTaQ5tV170PRZRbgTcu8zFSnzyJOjDJy/BQ1hKea86EZJyvx\nMB+ZmGiaupEoEuW9lTOAMkhDiMTVzxsQ/hMV/8prILAahMZAPJFk+Yn7\n-----END CERTIFICATE-----\n",
  "d8efea1f66e87bb36c2ea09d837338bdd810353b": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIA1PM71I9gHUwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0yMDAyMDIwNDI5MzBaFw0yMDAyMTgxNjQ0MzBaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3r6hVJVlFGWCicrvWVrY9ykWK22z30nDs\naJIKzFam6rE0mOy7HQ+425BavKcMHup1O4QNGyatdhJ6YhdyqqadaQz9Q/MWSnsJ\nbQXKv6MscRFfOTnk5TBzpfjWGOAmoFicbBYt4zdPJmYSWI9gAlAhHT20AE/B+jRp\nYWJVI9a0et/AltxSdf32L1i0Ht9jCamjj8RIRzArCPXTCkAx7fd18/nUC6U5PC/5\ngLa8uPDbmH3TIeH2uLqfs34wbmWCpy6n/WDxQYoPkqktM0lqzh84GCZqMeKz6Jbp\nQLcraGOB6tMX93tU1fpWd0GNDI/P2JGnNDfBBlYaGeDnRLFLr4tdAgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQALWk+nEuDemE5a4k3cjTMN5WPfYM9+\n3nxV519bMTWOK9o2Ikg0TcKgkLekOMVRlbWTjTlkPPInVOaC3aUGjgiysZlglnn/\ncFZoR36lfsvYx6Xhc548eH99S4vu6lbnVsnFmIWwEQ5Nr8j8bBzz/6v2/daLKr3Z\nhwmIWft2tYInymesINdtWpjXgu7Y8eu076swJqn+VCccZJveYY0i4VB9Px/YQbBx\nVcUhptYCjICc6bPI9Cvl52Ud80//+PcddlkZ+OqcmDB49eHyKVCJc94PfUsn1AXj\nssFFFBMmy0pEF8h1tVbVo9eXCHZzAijwoYXZu7SWJKh9+cU2GvradID6\n-----END CERTIFICATE-----\n"
}

vs

{
  "keys": [
    {
      "e": "AQAB",
      "kty": "RSA",
      "alg": "RS256",
      "n": "t6-oVSVZRRlgonK71la2PcpFitts99Jw7GiSCsxWpuqxNJjsux0PuNuQWrynDB7qdTuEDRsmrXYSemIXcqqmnWkM_UPzFkp7CW0Fyr-jLHERXzk55OUwc6X41hjgJqBYnGwWLeM3TyZmEliPYAJQIR09tABPwfo0aWFiVSPWtHrfwJbcUnX99i9YtB7fYwmpo4_ESEcwKwj10wpAMe33dfP51AulOTwv-YC2vLjw25h90yHh9ri6n7N-MG5lgqcup_1g8UGKD5KpLTNJas4fOBgmajHis-iW6UC3K2hjgerTF_d7VNX6VndBjQyPz9iRpzQ3wQZWGhng50SxS6-LXQ",
      "use": "sig",
      "kid": "d8efea1f66e87bb36c2ea09d837338bdd810353b"
    },
    {
      "kid": "762fa637af953590db8bb8a636bf11d4360abc98",
      "e": "AQAB",
      "kty": "RSA",
      "alg": "RS256",
      "n": "yOSrFI0IS_rZjn1-RGdKt4hyn2qnptQO_mNdKC6A1hfZ8MnusrJY6dNjWdIIk5Ul_RwkzjlNuk7jz5CEtYqbMw7BMaNPDfL4SO7ASBMj7yuykptNvcMno5lvgYP_YiIADJ7tfSnXy7XAv8P40cLa0GkiXBbcIg6X43MdPQq_csmuMPB-qG1g7Pq9ybAud2BSbeqa3yYChBAGNxk6zjQXl9V7nZWfIE-gCyN1u47MFKJVHGWg5ivcm9E3l5cKWG-_CGf229h6s8IVjfRpPJTY5utTroOu1mr6q-5RDQWV1GmWrSCTdEXCtFsdMsybhi1Z4Pc7e4tmCuv6mW6-aGPjbw",
      "use": "sig"
    }
  ]
}

Looks like this was introduced in #365.

(apologies for the edit -- submitted before I meant to)

[Samin100]

Thanks, this issue saved me a lot of trouble. I wasn't able to log into my application and was getting the same error you were getting.

I solved it by reverting to an older version of the package: google-auth==1.6.3.

[jay0lee]

+1 - started seeing above crash this morning with CI builds. Forcing 1.11.0 pip requirements resolved them immediately:

google-auth==1.11.0

[busunkim96]

Hi folks, sorry about this

#444 has reverted this change. and the next release 1.11.2 (#446) will have the previous _GOOGLE_OAUTH2_CERTS_URL. There is discussion in #445 on adding system tests to use the live endpoint.