CODEWITHSUNDEEP
dockergogoogle-apicertificatealpine-linux
Robin Huy
Robin Huy

Reputation: 1100

Cannot exchange AccessToken from Google API inside Docker container

I have a web app written in Go, use oauth2 (package golang.org/x/oauth2) to sign user in by Google (follow this tutorial https://developers.google.com/identity/sign-in/web/server-side-flow).

When I test app on local, it works fine but when I deploy app and run inside a Docker container (base on alpine:latest, run binary file), it has an error: Post https://accounts.google.com/o/oauth2/token: x509: certificate signed by unknown authority

Here is my code to exchange the accessToken:

ctx = context.Background()

config := &oauth2.Config{
    ClientID:     config.GoogleClientId,
    ClientSecret: config.GoogleClientSecret,
    RedirectURL:  config.GoogleLoginRedirectUrl,
    Endpoint:     google.Endpoint,
    Scopes:       []string{"email", "profile"},
}

accessToken, err := config.Exchange(ctx, req.Code)
if err != nil {
    log.Println(err.Error())   // Error here
}

Upvotes: 4

Views: 2837

Answers (2)

Robin Huy
Robin Huy

Reputation: 1100

The problem is not caused by Go but Alpine image.

Default Alpine image does not have certificates so the app cannot call to https address (this case is https://accounts.google.com/o/oauth2/token).

To fix this problem, install 2 packages openssl and ca-certificates. Example in Dockerfile:

apk add --no-cache ca-certificates openssl

Upvotes: 2

Soumen Mukherjee
Soumen Mukherjee

Reputation: 3272

You will need to add the Google Issuing CA certificate to the trusted cert store of the docker image.

The Google CA cert is this https://pki.google.com/GIAG2.crt .

More info on the certificate can be found from here

Then within the Dockerfile , you will need to do something like this

cp GIAG2.crt /usr/local/share/ca-certificates/GIAG2.crt
update-ca-certificates

Upvotes: 1

Related Questions