Description
We're intermittently encountering the following error during id token verification, even though google-auth-library is configured to automatically fetch and cache certs.
No pem found for envelope: {"alg":"RS256","kid":"0d8a67399e7882acae7d7f68b2280256a79","typ":"JWT"}
This error occurs during ID token verification, right after Google issues the token and our service attempts to validate its signature.
- Google OAuth flow completes successfully.
- Our server receives the token and initiates signature verification.
- Internally this lib fetches the certs in case cache is expired, but even it does we are getting this error.
My guess is that even though Google rotates its public certs from time to time, this shouldn’t cause frequent issues. Ideally, token verification should continue to work smoothly during rotation. We should only get tokens signed with a new kid after the corresponding public key is already available, or at least while the previous key is still valid.
Token URI - /oauth2/v4/token
Library version: [email protected]
Reference - https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
Any help or suggestions would be greatly appreciated.
Thank You !!