Getting "Security issue: Signature length not correct: got 256 but was expecting 128" since about one hour ago.

[Erik Zivkovic]

I am using code from http://android-developers.blogspot.se/2013/01/verifying-back-end-calls-from-android.html and have been using it for a long time to authenticate users for my service, but since about one hour ago I am getting "Security issue: Signature length not correct: got 256 but was expecting 128", it is being thrown from GoogleIdTokenVerifier.verify

There seems to be a similar issue for OAuth: http://stackoverflow.com/questions/30780407/google-oauth2-jwt-token-verification-exception

Someone else experiencing the same issue?

BR Erik

[Tom Edge]

Yes, I've got the same problem. I've asked a question on Stack Overflow here https://stackoverflow.com/questions/30781799/google-cloud-endpoints-verifytoken-signature-length-not-correct

Have you found any kind of workaround yet?

Tom

Latest from the Rugged Blog: 2014, Our Year Without Paper

        

o. 01202 665885

a. Communications House. 16 Didcot Road, Nuffield Trading Estate, Poole, Dorset. BH17 0GD
w. www.nuffieldtechnologies.com

w.  www.ruggeddata.co.uk

Please consider the environment before printing electronic copies of information.

 

Company Reg No. 04619513
This e-mail and all attached files are intended for the named addressee only. If you are not the addressee legally indicated in the message (or responsible for delivery of the message to such person), you may not copy, deliver or disclose it to anyone. It may contain legally privileged or confidential information, which may be copyrighted. All efforts are made to keep our systems free of viruses, however please note it is your responsibility to scan this e-mail and attachments to ensure that no virus is present.

[Nhat Nguyen]

I am experiencing the same issue now. I have to temporary disable authentication.

[Roel de Brouwer (werk)]

What the actual heck? But why are so few people that suffer from this? I can only found two results about this topic. Since this day the Android app can't connect anymore with the backend.

[Erik Zivkovic]

You can subclass GoogleIdTokenVerifier for now

package com.my.project.package;


import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;


import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;


@Deprecated
public class GoogleIdTokenVerifier2 extends GoogleIdTokenVerifier {


    public GoogleIdTokenVerifier2(HttpTransport transport, JsonFactory jsonFactory) {
        super(transport, jsonFactory);
    }


    @Override
    public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException {
        // check the payload
        if (!((IdTokenVerifier)this).verify(googleIdToken)) {
            return false;
        }
        // verify signature
        for (PublicKey publicKey : getPublicKeysManager().getPublicKeys()) {
            try {
                if (googleIdToken.verifySignature(publicKey)) {
                    return true;
                }
            } catch (Exception e) {
                System.err.println("Verify Token:" + e);
            }
        }
        return false;
    }
}

[ivbar bar]

Looks like it will not work with app engine + cloud endpoints. 

Do you have solution for it?

Thanks

[Tom Edge]

Does this work when using the cloud endpoints @Api annotations to declare endpoint api methods? I can't work out how to implement your workaround

[Nathan Green]

Anyone have any updates on this? It has been down all day

[Arun Nedun]

The issue now appears to be fixed for me..! Can someone else confirm this as well? Will do more checking now...

On Thursday, June 11, 2015 at 8:34:30 AM UTC-4, Erik Zivkovic wrote:

[ivbar bar]

Yes, it's working now.

Ahh... 

[Nhat Nguyen]

Confirmed, everything seems to be back to normal.

[Douglas Meredith]

I'm still seeing the problem.  Did you guys have to bounce your instances or something to get things back on track?

[Arun Nedun]

Right. Shutdown instance and clear cache.

[Roel de Brouwer (werk)]

Is it  "Compute" --> "App Engine" --> "Instances" --> "Shutdown"

and  "Compute" --> "App Engine" --> "Memcache" --> "Flush cache"

Op vrijdag 12 juni 2015 09:29:50 UTC+2 schreef Roel de Brouwer (werk):

Can you tell me where I can do that in the Console? The person that build the backend of our app is not in the house today.