none
Intermittent problem with Google Authentication RRS feed

  • Question

  • We encountered a critical issue when trying to use Google authentication in a Windows Phone application using a Windows Azure Mobile Backend:

    During our live tests we observed that Google authentication was working perfectly fine one day, and totally not working the next day.

    While the problem was occurring, we used Fiddler to analyze the traffic and noticed that JWT tokens generated by Google were rejected with the following message: « The authentication token has an invalid signature. »

    We did some tests to manually retrieve the JWT using the Google API and the code issued to the Mobile Service App, we check the signature against the google certificates (found at https://www.googleapis.com/oauth2/v1/certs): the JWT was correct and its signature was valid.

    Desperate we started investigating the WAMS Zumo runtime source code: it seems like the WAMS server caches all google certificates for 23 hours at the first call to the google authentication provider. However when an authentication via the same Google provider occurs later Google might already use a new certificate (they use a new one every 24 hours), in that case WAMS just rejects the tokens as having an invalid signature.

    In facts, the in Zumo code [Runtime/Request/Authentication/GoogleCert.js], the method GoogleCert.getCerts contains:

    -    a test for cache expiration :

    -        // If certs are already cached and not expired, return them.
       
    if (this.certs && !certCacheHelper.isExpired(this.certs.exp, checkExpirationNowOverride))
    a caching:

        var parsedKeys = JSON.parse(body);
        self.certs = {
            exp: certCacheHelper.createExpiryDateFromHours(23),
            certs: parsedKeys
        };

    As you can seem, the code does not check the value of kid was requested, only the expiration delay. Thus if this delay is not expired yet and a new certificate (with a new kid) is already used to sign the JWT token, this certificate is not in the returned set, then the following check fails:

    [Runtime/JsonWebToken.js]
    JsonWebToken.prototype.verifyRsaSha256SignatureKid =
    function() {
       
    var cert = this._certificates[this.envelope.kid];
       
    if (typeof(cert) !== 'undefined') {
           
    if (this.verifySignatureByCert(cert)) {
               
    return true;
            }
        }
       
    return false;
    };

    After restarting the mobile service app using the azure mobile restart [service], the issue is instantly (and temporarily?) resolved, thus confirming our suspicion toward the certificate caching being the root of the problem.

    Can you confirm this problem ?

    Edit : Some complements

    We are using WAMS api to display the login screen (using the client.LoginAsync(MobileServiceAuthenticationProvider.Google) method) which triggers the "server-side flow" in Zumo, the retrieval of the google certificates then happens in the _getProviderToken which is called from getProviderTokenFromServerFlowRequest.

    Monday, March 17, 2014 11:01 AM

All replies

  • Thanks for reporting this! I have confirmed that this flow has a bug exactly as you describe and we are working on a fix.

    Thanks!

    Todd Reifsteck

    Windows Azure Mobile Services

    Thursday, March 20, 2014 4:20 AM
  • The latest runtime (deployed over the last couple of days) should have a fix for this bug, please let us know if this is not the case.


    Carlos Figueira

    Sunday, March 30, 2014 11:07 PM
    Moderator