Currently, I’m using the Service Account of Google Cloud to implement the authorization feature. Here is the configuration for Token Validation:
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateIssuer = true,
ValidateAudience = true,
ClockSkew = TimeSpan.Zero,
ValidIssuer = _authOption.Issuer,
ValidAudience = _authOption.Audience
};
IssuerSigningKeys is the Json Web Key Set (JWKS) which is attached to the Service Account, below is the list of keys including both user-managed and Google-managed keys:
- e1c****323
- d4e****59e
- 015****cd5
- 2c1****ce7
And from the client side, I’m using the SignJwt() method of the package Google.Apis.Iam.V1 (ASP.NET Core) for generating the Token, and here are some sets up:
private async Task<string> GenerateAccessTokenAsync()
{
var request = new GoogleSignedTokenRequest
{
Aud = _ocppOption.Audience,
ISS = _ocppOption.Issuer,
Sub = _ocppOption.Issuer,
Iat = new DateTimeOffset(DateTime.UtcNow).ToUnixTimeSeconds(),
Exp = new DateTimeOffset(DateTime.UtcNow.AddHours(1)).ToUnixTimeSeconds()
};
string name = $"projects/-/serviceAccounts/{_ocppOption.Issuer}";
var requestBody = new Data.SignJwtRequest
{
Payload = JsonSerializer.Serialize(request)
};
var signJwtResponse = await _iamService.Projects.ServiceAccounts.SignJwt(requestBody, name).ExecuteAsync();
return signJwtResponse.SignedJwt;
}
With the above config, everything is working well (in Production) but there are some sudden situations that I got the 401 Unauthorized with Header: WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found", and in the next day, it fixed itself.
I did do some research and there is a thing like the IssuerSigningKeys will be cached by the Authorization handler, but my signing keys at that time didn’t have any changes and the certificate of each key is still valid.
Here is the Header of the Token that got the above error:
{
"alg": "RS256",
"kid": "2c1****ce7",
"typ": "JWT"
}
And one more thing, when I tried to use the same token with the same Service Account in my local environment, the token can be authorized.
Have you guys faced the same problem? Please advice me on this case.
