fix(googlechat): implement custom OIDC verification with Google Chat JWK endpoint

Author: tuntran

go.mod

@@ -26,13 +26,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.40.0
 	golang.org/x/oauth2 v0.35.0
 	golang.org/x/time v0.14.0
-	google.golang.org/api v0.269.0
 	tailscale.com v1.94.2
 )
 
 require (
-	cloud.google.com/go/auth v0.18.2 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
@@ -68,17 +65,13 @@ require (
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gaissmai/bart v0.18.0 // indirect
 	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
-	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/huin/goupnp v1.3.0 // indirect
 	github.com/invopop/jsonschema v0.13.0 // indirect
@@ -107,7 +100,6 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect

go.sum

@@ -1,9 +1,5 @@
 9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f h1:1C7nZuxUMNz7eiQALRfiqNOm04+m3edWlRff/BYHf0Q=
 9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f/go.mod h1:hHyrZRryGqVdqrknjq5OWDLGCTJ2NeEvtrpR96mjraM=
-cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
-cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
-cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
-cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
@@ -208,14 +204,8 @@ github.com/google/go-tpm v0.9.4 h1:awZRf9FwOeTunQmHoDYSHJps3ie6f1UlhS1fOdPEt1I=
 github.com/google/go-tpm v0.9.4/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
 github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
-github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
-github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12 h1:Fg+zsqzYEs1ZnvmcztTYxhgCBsx3eEhEwQ1W/lHq/sQ=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
-github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
-github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -429,8 +419,6 @@ github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
 go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
@@ -508,8 +496,6 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.269.0 h1:qDrTOxKUQ/P0MveH6a7vZ+DNHxJQjtGm/uvdbdGXCQg=
-google.golang.org/api v0.269.0/go.mod h1:N8Wpcu23Tlccl0zSHEkcAZQKDLdquxK+l9r2LkwAauE=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=

internal/channels/googlechat/chat_oidc_verifier.go

@@ -0,0 +1,223 @@
+package googlechat
+
+import (
+	"context"
+	"crypto"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	// chatJWKURL is the JWK endpoint for Google Chat's signing keys.
+	// Standard idtoken.Validate() uses googleapis.com/oauth2/v3/certs which does NOT
+	// include Chat's signing keys, causing "could not find matching cert keyId" errors.
+	chatJWKURL = "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
+
+	// chatIssuer is the expected issuer claim in Google Chat JWT tokens.
+	chatIssuer = "[email protected]"
+
+	// jwkCacheTTL is how long to cache fetched JWKs before refreshing.
+	jwkCacheTTL = 1 * time.Hour
+
+	// clockSkewLeeway allows for minor clock differences between servers.
+	clockSkewLeeway = 5 * time.Minute
+)
+
+// chatCertCache stores fetched Google Chat JWKs with a TTL.
+var chatCertCache = &jwkCache{keys: make(map[string]*rsa.PublicKey)}
+
+type jwkCache struct {
+	mu      sync.RWMutex
+	keys    map[string]*rsa.PublicKey // kid → public key
+	fetched time.Time
+}
+
+// jwkSet is the JSON structure from Google's JWK endpoint.
+type jwkSet struct {
+	Keys []jwkKey `json:"keys"`
+}
+
+type jwkKey struct {
+	Kid string `json:"kid"`
+	Kty string `json:"kty"`
+	N   string `json:"n"`
+	E   string `json:"e"`
+}
+
+// verifyChatToken verifies a Google Chat JWT token against the Chat-specific JWK endpoint.
+// audiences is a list of acceptable audience values (webhook URL, project number, etc.).
+func verifyChatToken(ctx context.Context, token string, audiences []string) error {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return fmt.Errorf("invalid JWT format")
+	}
+
+	// 1. Parse header to get kid
+	headerJSON, err := base64.RawURLEncoding.DecodeString(parts[0])
+	if err != nil {
+		return fmt.Errorf("decode header: %w", err)
+	}
+	var header struct {
+		Kid string `json:"kid"`
+		Alg string `json:"alg"`
+	}
+	if err := json.Unmarshal(headerJSON, &header); err != nil {
+		return fmt.Errorf("parse header: %w", err)
+	}
+	if header.Alg != "RS256" {
+		return fmt.Errorf("unsupported algorithm: %s", header.Alg)
+	}
+
+	// 2. Get signing key (fetch + cache, force-refresh on miss)
+	pubKey, err := getChatSigningKey(ctx, header.Kid)
+	if err != nil {
+		return err
+	}
+
+	// 3. Verify RS256 signature
+	signed := []byte(parts[0] + "." + parts[1])
+	sig, err := base64.RawURLEncoding.DecodeString(parts[2])
+	if err != nil {
+		return fmt.Errorf("decode signature: %w", err)
+	}
+	h := crypto.SHA256.New()
+	h.Write(signed)
+	if err := rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, h.Sum(nil), sig); err != nil {
+		return fmt.Errorf("invalid signature: %w", err)
+	}
+
+	// 4. Validate claims
+	claimsJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return fmt.Errorf("decode claims: %w", err)
+	}
+	var claims struct {
+		Iss string `json:"iss"`
+		Aud string `json:"aud"`
+		Exp int64  `json:"exp"`
+	}
+	if err := json.Unmarshal(claimsJSON, &claims); err != nil {
+		return fmt.Errorf("parse claims: %w", err)
+	}
+
+	if claims.Iss != chatIssuer {
+		return fmt.Errorf("invalid issuer: %s", claims.Iss)
+	}
+
+	if time.Now().Unix() > claims.Exp+int64(clockSkewLeeway.Seconds()) {
+		return fmt.Errorf("token expired")
+	}
+
+	for _, aud := range audiences {
+		if claims.Aud == aud {
+			return nil
+		}
+	}
+	return fmt.Errorf("audience mismatch: got %s", claims.Aud)
+}
+
+// getChatSigningKey returns the RSA public key for the given kid.
+// Fetches from cache first; on miss, force-refreshes the cache and retries.
+func getChatSigningKey(ctx context.Context, kid string) (*rsa.PublicKey, error) {
+	keys, err := fetchChatJWKs(ctx, false)
+	if err != nil {
+		return nil, fmt.Errorf("fetch certs: %w", err)
+	}
+	if key, ok := keys[kid]; ok {
+		return key, nil
+	}
+
+	// Key not found — force refresh (Google may have rotated keys)
+	keys, err = fetchChatJWKs(ctx, true)
+	if err != nil {
+		return nil, fmt.Errorf("refresh certs: %w", err)
+	}
+	if key, ok := keys[kid]; ok {
+		return key, nil
+	}
+	return nil, fmt.Errorf("unknown signing key: %s", kid)
+}
+
+// fetchChatJWKs fetches Google Chat JWKs with caching.
+// forceRefresh bypasses the cache TTL.
+func fetchChatJWKs(ctx context.Context, forceRefresh bool) (map[string]*rsa.PublicKey, error) {
+	chatCertCache.mu.RLock()
+	if !forceRefresh && time.Since(chatCertCache.fetched) < jwkCacheTTL && len(chatCertCache.keys) > 0 {
+		keys := chatCertCache.keys
+		chatCertCache.mu.RUnlock()
+		return keys, nil
+	}
+	chatCertCache.mu.RUnlock()
+
+	chatCertCache.mu.Lock()
+	defer chatCertCache.mu.Unlock()
+
+	// Double-check after acquiring write lock
+	if !forceRefresh && time.Since(chatCertCache.fetched) < jwkCacheTTL && len(chatCertCache.keys) > 0 {
+		return chatCertCache.keys, nil
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, chatJWKURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("fetch JWKs: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("JWK endpoint returned %d", resp.StatusCode)
+	}
+
+	var jwks jwkSet
+	if err := json.NewDecoder(resp.Body).Decode(&jwks); err != nil {
+		return nil, fmt.Errorf("decode JWKs: %w", err)
+	}
+
+	keys := make(map[string]*rsa.PublicKey, len(jwks.Keys))
+	for _, k := range jwks.Keys {
+		if k.Kty != "RSA" {
+			continue
+		}
+		pub, err := rsaPubFromJWK(k.N, k.E)
+		if err != nil {
+			continue
+		}
+		keys[k.Kid] = pub
+	}
+
+	chatCertCache.keys = keys
+	chatCertCache.fetched = time.Now()
+	return keys, nil
+}
+
+// rsaPubFromJWK converts base64url-encoded RSA modulus and exponent to an rsa.PublicKey.
+func rsaPubFromJWK(nB64, eB64 string) (*rsa.PublicKey, error) {
+	nBytes, err := base64.RawURLEncoding.DecodeString(nB64)
+	if err != nil {
+		return nil, err
+	}
+	eBytes, err := base64.RawURLEncoding.DecodeString(eB64)
+	if err != nil {
+		return nil, err
+	}
+
+	e := 0
+	for _, b := range eBytes {
+		e = e*256 + int(b)
+	}
+
+	return &rsa.PublicKey{
+		N: new(big.Int).SetBytes(nBytes),
+		E: e,
+	}, nil
+}

internal/channels/googlechat/handler.go

@@ -7,8 +7,6 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
-
-	"google.golang.org/api/idtoken"
 )
 
 // NewWebhookHandler creates an http.HandlerFunc for Google Chat webhook events.
@@ -25,11 +23,13 @@ func NewWebhookHandler(projectNumber string, onMessage func(event *SpaceEvent))
 			return
 		}
 
-		// OIDC verification
+		// OIDC verification using Google Chat's specific JWK endpoint
 		if projectNumber != "" {
 			if err := verifyOIDC(r, projectNumber); err != nil {
 				slog.Warn("googlechat: OIDC verification failed", "error", err)
-				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusUnauthorized)
+				w.Write([]byte(`{}`))
 				return
 			}
 		}
@@ -70,6 +70,8 @@ func NewWebhookHandler(projectNumber string, onMessage func(event *SpaceEvent))
 }
 
 // verifyOIDC validates the Google OIDC token from the Authorization header.
+// Uses Google Chat's specific JWK endpoint ([email protected])
+// instead of the generic OAuth2 certs endpoint, which doesn't include Chat signing keys.
 func verifyOIDC(r *http.Request, projectNumber string) error {
 	auth := r.Header.Get("Authorization")
 	if auth == "" {
@@ -80,9 +82,35 @@ func verifyOIDC(r *http.Request, projectNumber string) error {
 		return fmt.Errorf("invalid Authorization format")
 	}
 
-	// idtoken.Validate caches keys internally
-	_, err := idtoken.Validate(r.Context(), token, projectNumber)
-	return err
+	// Build list of acceptable audiences: webhook URL + project number
+	var audiences []string
+	if url := buildRequestURL(r); url != "" {
+		audiences = append(audiences, url)
+	}
+	audiences = append(audiences, projectNumber)
+
+	return verifyChatToken(r.Context(), token, audiences)
+}
+
+// buildRequestURL reconstructs the original full URL from request headers.
+// Returns empty string if scheme/host cannot be determined.
+func buildRequestURL(r *http.Request) string {
+	scheme := r.Header.Get("X-Forwarded-Proto")
+	if scheme == "" {
+		if r.TLS != nil {
+			scheme = "https"
+		} else {
+			scheme = "http"
+		}
+	}
+	host := r.Header.Get("X-Forwarded-Host")
+	if host == "" {
+		host = r.Host
+	}
+	if host == "" {
+		return ""
+	}
+	return scheme + "://" + host + r.URL.Path
 }
 
 // isBotMentioned checks if the bot was @mentioned in the message annotations.