Skip to content

JWTAccess email and private key read from service account JSON names mismatched #1960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
7 tasks done
salrashid123 opened this issue Apr 16, 2025 · 1 comment
Open
7 tasks done

JWTAccess email and private key read from service account JSON names mismatched #1960

salrashid123 opened this issue Apr 16, 2025 · 1 comment
Labels
size: s Pull request size is small. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@salrashid123
Copy link
Contributor

salrashid123 commented Apr 16, 2025
edited
Loading

Please make sure you have searched for information in the following guides.

A screenshot that you have tested with "Try this API".

N/A

Link to the code that reproduces this issue. A link to a public Github Repository or gist with a minimal reproduction.

https://github.com/googleapis/google-auth-library-nodejs/blob/main/src/auth/jwtclient.ts#L311

A step-by-step description of how to reproduce the issue, based on the linked reproduction.

var log4js = require("log4js");
var logger = log4js.getLogger();

const {GoogleAuth, JWTAccess, OAuth2Client, JWT, JWTInput} =  require('google-auth-library');
const {PubSub, ClientConfig} = require('@google-cloud/pubsub');

jkey = require("../certs/jwt-access-svc-account.json");
const projectId = 'core-eso';

/// client from either
const client = new JWTAccess(
	jkey.client_email, 
	jkey.private_key,
	jkey.private_key_id
 );
client.useJWTAccessWithScope = true;

// or 
const client = new JWT({
	email: jkey.client_email,
	key:  jkey.private_key,
	scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});  

const pubsub = new PubSub({
	credentials: client,
	projectId: projectId
});
pubsub.getTopics((err, topic) => {
	if (err) {
		console.log(err);
		return;
	}
	topic.forEach(function(entry) {
    logger.info(entry.name);
	});
});
{
  "name": "myapp",
  "version": "0.0.0",
  "scripts": {
    "start": "node app.js"
  },
  "dependencies": {
    "@google-cloud/pubsub": "4.11.0",
    "@google-cloud/storage": "7.16.0",
    "google-auth-library": "^9.15.1",
    "googleapis": "^148.0.0",
    "log4js": "^0.6.27"
  }
}

A clear and concise description of what the bug is, and what you expected to happen.

JWTAccess tokens derived from service account keys as described here

seems to transpose or use incorrect json fields.

For example, if you initialize any of the clients JWTAccess or JWT as shown in the repro section and run it, you'll initially see

Error: The incoming JSON object does not contain a client_email field

The JSON service account file definately has the client_email but it seems to get mismatched somewhere here

such that the client_email is transposed to email and private_key is email,

so if you alter the code there above to to change the names, the client is authenticated properly.

Essentially, it seems somewhere in the codebase, the svc account's json field names are changed; the fix was to update jwtclient.js so that

  • client_email => email
  • private_key => key
    fromJSON(json) {
        console.log(json)
        if (!json) {
            throw new Error('Must pass in a JSON object containing the service account auth settings.');
        }
        if (!json.email) {
            throw new Error('The incoming JSON object does not contain a client_email field');
        }
        if (!json.key) {
            throw new Error('The incoming JSON object does not contain a private_key field');
        }
        // Extract the relevant information from the json key file.
        this.email = json.email;
        this.key = json.key;
        this.keyId = json.private_key_id;
        this.projectId = json.project_id;
        this.quotaProjectId = json.quota_project_id;
        this.universeDomain = json.universe_domain || this.universeDomain;
    }
@sofisl
Copy link
Contributor

sofisl commented Apr 18, 2025

I can confirm this is a bug - thank you for the full repro!

@sofisl sofisl added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. size: s Pull request size is small. labels Apr 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
size: s Pull request size is small. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@salrashid123 @sofisl