After rolling out the v1.33.3 release, we've experienced a few transient 1 hour outages for OIDC token verification.
Logs show:
message: WARNING: Failed to get a certificate from certificate location https://www.googleapis.com/oauth2/v3/certs
And then all attempts to validate tokens fail with:
com.google.api.client.auth.openidconnect.IdTokenVerifier$VerificationException: Could not find PublicKey for provided keyId: 486f16482005a2cdaf26d9214018d029ca46fb56
For 1 hour straight until the cache of the empty map expires and a new cert refresh succeeds:
|
.expireAfterWrite(1, TimeUnit.HOURS) |
We believe that the implementation should not evict previously known public keys in the event of a refresh failure (which could happen for many different reasons).
After rolling out the v1.33.3 release, we've experienced a few transient 1 hour outages for OIDC token verification.
Logs show:
And then all attempts to validate tokens fail with:
For 1 hour straight until the cache of the empty map expires and a new cert refresh succeeds:
google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java
Line 165 in c1b1468
We believe that the implementation should not evict previously known public keys in the event of a refresh failure (which could happen for many different reasons).