Description
After rolling out the v1.33.3 release, we've experienced a few transient 1 hour outages for OIDC token verification.
Logs show:
message: WARNING: Failed to get a certificate from certificate location https://www.googleapis.com/oauth2/v3/certs
And then all attempts to validate tokens fail with:
com.google.api.client.auth.openidconnect.IdTokenVerifier$VerificationException: Could not find PublicKey for provided keyId: 486f16482005a2cdaf26d9214018d029ca46fb56
For 1 hour straight until the cache of the empty map expires and a new cert refresh succeeds:
We believe that the implementation should not evict previously known public keys in the event of a refresh failure (which could happen for many different reasons).