Skip to content

Google connector with ADC: unexpected end of JSON input #2676

New issue
New issue
Closed
#2989
#2680
Closed
Google connector with ADC: unexpected end of JSON input#2676
#2989
#2680
Milestone
v2.39.0
@tsawada

Description

@tsawada
tsawada
opened on Sep 21, 2022

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

ghcr.io/dexidp/dex:v2.34.0

Storage Type

Kubernetes

Installation Type

Other (specify below)

Expected Behavior

google connector successfully use Application Default Credential via Compute Engine metadata server

Actual Behavior

failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse credentials to config: unexpected end of JSON input

Steps To Reproduce

  1. deploy dex on GCE / GKE. Use google connector without specifying serviceAccountFilePath
  2. check the logs

Additional Information

I installed dex via ArgoCD's install.yaml, and replaced its version from v2.30.2 to v2.34.0.
My setup worked OK before, with a key file in serviceAccountFilePath.

I tried running the following code on the same GKE pod by kubectl exec, and it went all good.

func main() {
        cred, err := google.FindDefaultCredentials(context.Background())
        if err != nil {
                fmt.Errorf("FindDefaultCredentials: %w", err)
        }
        fmt.Printf("Json: %v\n", cred.JSON)
        cfg, err := google.JWTConfigFromJSON(cred.JSON, admin.AdminDirectoryGroupReadonlyScope)
        if err != nil {
                fmt.Errorf("JWTConfigFromJSON: %w\n", err)
        }
        fmt.Printf("cfg: %v\n", cfg)
}

The above code works OK with following output, which is something I expected.

cred: &{my-project-name 0xc0000aed00 []}
Json:
cfg: <nil>

The code does basically the same as dex v2.34.0, so I am not sure why it doesn't work in dex.

cc @ichbinfrog

Configuration

connectors:
    - type: google
      id: google
      name: Google
      config:
        issuer: https://accounts.google.com
        clientID: $GOOGLE_CLIENT_ID
        clientSecret: $GOOGLE_CLIENT_SECRET
        redirectURI: https://my.domain/api/dex/callback
        hostedDomains: ['my.domain']
        serviceAccountFilePath: /tmp/keyfile.json
        adminEmail: test@my.domain

Logs

Dex Version: v2.34.0-dirty, Go Version: go1.19.1, Go OS/ARCH: linux amd64
config issuer: https://***
config connector: google
config skipping approval screen
config refresh tokens rotation enabled: true
the application default credential is used since the service account file path is not used
failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse credentials to config: unexpected end of JSON input

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions