Google oauth validate jwt command fails

[wakkadojo]

When I attempt to validate a jwt using the client sessions.validate_jwt(jwt) method i get an error that the pydantic model can't serialize because of a missing field in the authentication factor sub claim.

Steps to reproduce

1. Generate a JWT through typical login with Google OAuth
2. Copy that JWT from your browser cookie and assign it to jwt="..."
3. Instantiate your client client = stytch.Client(project_id=...)
4. Run client.validate_jwt(jwt)

Upon inspection the JWT contains these claims

    "authentication_factors": [
      {
        "type": "oauth",
        "delivery_method": "oauth_google",
        "last_authenticated_at": "2023-11-30T00:44:02Z",
        "google_oauth_factor": {
          "id": "oauth-user-test-176b6bcf-9a21-4583-9c5a-098ded9a3bd9",
          "provider_subject": "110619083650669751648"
        }
      }

Where the google_oauth_factor claim does not conform to the model in stytch.consumer.models.sessions, notably email_id is missing in the JWT authentication factor for google_oauth_factor

class GoogleOAuthFactor(pydantic.BaseModel):
    """
    Fields:
      - id: The unique ID of an OAuth registration.
      - email_id: The globally unique UUID of the Member's email.
      - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols.
    """  # noqa

    id: str
    email_id: str
    provider_subject: str

Traceback

File ~/.cache/pypoetry/virtualenvs/...python3.11/site-packages/stytch/consumer/api/sessions.py:326, in Sessions.authenticate_jwt_local(self, session_jwt, max_token_age_seconds, leeway)
    323 # For JWTs that include it, prefer the inner expires_at claim.
    324 expires_at = claim.get("expires_at", generic_claims.reserved_claims["exp"])
--> 326 return Session(
    327     attributes=claim["attributes"],
    328     authentication_factors=claim["authentication_factors"],
    329     expires_at=expires_at,
    330     last_accessed_at=claim["last_accessed_at"],
    331     session_id=claim["id"],
    332     started_at=claim["started_at"],
    333     user_id=generic_claims.reserved_claims["sub"],
    334     custom_claims=custom_claims,
    335 )

File ~/.cache/pypoetry/virtualenvs/.../python3.11/site-packages/pydantic/main.py:341, in pydantic.main.BaseModel.__init__()

ValidationError: 1 validation error for Session
authentication_factors -> 0 -> google_oauth_factor -> email_id
  field required (type=value_error.missing)

[logan-stytch]

Thanks for the bug report! I'm going to take a look at this and see what we can do. I believe we had an assumption that the GoogleOAuthFactor would always have an associated email_id, but if that's wrong, I can look into fixing that field type.

[logan-stytch]

Hey @wakkadojo, we have some theories about this, but aren't completely certain what's going on here. Just wanted to follow up and say that this hasn't fallen off our radar yet. Our assumption is that email is always present, but clearly you've found a case where this isn't true.

I can say that at least from our side, we should be supplying an empty email_id even if one didn't exist.

The only theory we have is that would you know if this is possibly a Google OneTap login for an account that has explicitly denied email sharing?

[wakkadojo]

I think it was google one tap login thru android but I don't believe email sharing was off

Do you know how I would check that?

We have a work around for now