Certificate caching issue with 2.0.2?

[cmcfadden]

I'm using 2.0.2 (installed via composer) and am finding that if you don't manually remove /tmp/stash each day, auth fails during verifyIdToken(). I'm not sure what's up - the cache items aren't due for expiration, so it's not just a failure to purge. Anyone else seeing this?

[bshaffer]

@cmcfadden This is interesting, I take it you've installed the tedivm/stash dependency to use the File cache?

[cmcfadden]

Yeah, I'm running against the current master head for tedivm/stash (6aec97c9cc413223136e5f62dd200cf5eb932d1b)

[cmcfadden]

It's definitely odd - here are a few more clues. What's happening is the JWT->verify function is failing for all of the available certs in the cases where it fails. However, it's more sporadic than I first realized. If I repeatedly try to auth, I'll get a mix of successes and failures.

Disabling the cache in Verify.php (commenting out the cache fetch in getFederatedSignOnCerts) seems to resolve it consistently - I haven't made it fail ever with that disabled. Unfortunately it doesn't look like it's possible to disable caching entirely if I've got stash loaded for other uses in the app (without modifying verify.php).

Very odd.

[cmcfadden]

One more note - if I just curl the URL for certs, I get back different results pretty consistently - sometimes three certs, sometimes four, and different results for different hosts. Is there somewhere that explains what to expect from that from google?

[jaredk2g]

I'm running into similar issues on 2.0.3. What happens is that verifyIdToken() works and then after the next day or so it stops working. Each time I've been able to get it working again by clearing out the certificates cache. I'm using symfony/cache, which is PSR-6 compatible, instead of using tedvim/stash.