Skip to content

Auth: Duplicate signature verification check in GoogleIdTokenVerifier #2077

New issue
New issue
Closed
#2080
Closed
Auth: Duplicate signature verification check in GoogleIdTokenVerifier#2077
#2080
Assignees
TimurSadykov
Labels
priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.
@alexmitic

Description

@alexmitic
alexmitic
opened on May 24, 2022

Environment details

  1. OS type and version: N/A
  2. Java version: N/A
  3. version(s): google-api-java-client v1.34.1 & google-oauth-java-client v1.33.3

Steps to reproduce

The latest release of google-oauth-java-client added a signature verification check to IdTokenVerifier.verify. In google-api-java-client, GoogleIdTokenVerifier makes a call to super.verify which will perform a signature check. After that GoogleIdTokenVerifier then performs its own signature check.

This look like the signature check is effectively being duplicated?

Metadata

Metadata

Assignees

Labels

priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions