Error: Invalid TokenServiceAccount seeing ID token but not access token #224
Description
Cannot authenticate service account
I am trying to authenticate a service account. This worked last week but now is failing. I traced it to the returned token from Google, which doesn't include an access token, so a NULL is being returned.
Note that I'm trying to create a package to connect with StackDriver logging based on the auto API generator provided by same author.
Steps to reproduce the problem
library(googleAuthR)
options(googleAuthR.scopes.selected = c('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/logging.admin', 'https://www.googleapis.com/auth/logging.read', 'https://www.googleapis.com/auth/logging.write', 'https://www.googleapis.com/auth/logging.views.access'))
gar_auth_service(json_path)
The json_path holds a JSON file containing the JSON key downloaded from GCP Service Account page.
Expected output
Successful authentication
Actual output
> options(googleAuthR.verbose=2)
> gar_auth_service(json_path)
Error: Invalid TokenServiceAccount
When I debug credentials_service_account, and subsequently token <- httr::oauth_service_token(endpoint = gargle_oauth_endpoint(), secrets = info, scope = scopes, sub = subject), I see that the OAuth response contains an ID token but not an access token.
Browse[2]> token <- credentials_service_account(scopes = scope, path = json_file)
debugging in: credentials_service_account(scopes = scope, path = json_file)
debug: {
...
Browse[4]> token
<Token>
<oauth_endpoint>
authorize: https://accounts.google.com/o/oauth2/v2/auth
access: https://oauth2.googleapis.com/token
validate: https://oauth2.googleapis.com/tokeninfo
revoke: https://oauth2.googleapis.com/revoke
NULL
<credentials> id_token
This is failing because httr appears to only look for an access token.
debug: if (is.null(token$credentials$access_token) || !nzchar(token$credentials$access_token)) {
NULL
} else {
gargle_debug("service account email: {.email {token_email(token)}}")
token
}
I'm wondering if you've seen a change in the way Google's APIs are handling these authentication requests?
Session Info
> sessionInfo()
R version 4.2.2 (2022-10-31)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 22.04.1 LTS
Matrix products: default
BLAS: /usr/lib/x86_64-linux-gnu/blas/libblas.so.3.10.0
LAPACK: /usr/lib/x86_64-linux-gnu/lapack/liblapack.so.3.10.0
locale:
[1] LC_CTYPE=en_US.UTF-8 LC_NUMERIC=C
[3] LC_TIME=en_US.UTF-8 LC_COLLATE=en_US.UTF-8
[5] LC_MONETARY=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8
[7] LC_PAPER=en_US.UTF-8 LC_NAME=C
[9] LC_ADDRESS=C LC_TELEPHONE=C
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C
attached base packages:
[1] stats graphics grDevices utils datasets methods base
other attached packages:
[1] futile.stackdriver_0.0.1 googleAuthR_2.0.0
loaded via a namespace (and not attached):
[1] digest_0.6.30 assertthat_0.2.1 R6_2.5.1 jsonlite_1.8.3
[5] httr_1.4.4 rlang_1.0.6 cachem_1.0.6 cli_3.4.1
[9] curl_4.3.3 fs_1.6.0 tools_4.2.2 glue_1.6.2
[13] fastmap_1.1.0 compiler_4.2.2 askpass_1.1 gargle_1.2.1
[17] memoise_2.0.1 openssl_2.0.4