dongying9756
2018-09-15 05:27
浏览 111

无法从Docker容器内的Google API交换AccessToken

I have a web app written in Go, use oauth2 (package golang.org/x/oauth2) to sign user in by Google (follow this tutorial https://developers.google.com/identity/sign-in/web/server-side-flow).

When I test app on local, it works fine but when I deploy app and run inside a Docker container (base on alpine:latest, run binary file), it has an error: Post https://accounts.google.com/o/oauth2/token: x509: certificate signed by unknown authority

Here is my code to exchange the accessToken:

ctx = context.Background()

config := &oauth2.Config{
    ClientID:     config.GoogleClientId,
    ClientSecret: config.GoogleClientSecret,
    RedirectURL:  config.GoogleLoginRedirectUrl,
    Endpoint:     google.Endpoint,
    Scopes:       []string{"email", "profile"},
}

accessToken, err := config.Exchange(ctx, req.Code)
if err != nil {
    log.Println(err.Error())   // Error here
}
  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douzha5990 2018-09-19 03:17
    已采纳

    The problem is not caused by Go but Alpine image.

    Default Alpine image does not have certificates so the app cannot call to https address (this case is https://accounts.google.com/o/oauth2/token).

    To fix this problem, install 2 packages openssl and ca-certificates. Example in Dockerfile:

    apk add --no-cache ca-certificates openssl
    
    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • douqian4411 2018-09-15 08:18

    You will need to add the Google Issuing CA certificate to the trusted cert store of the docker image.

    The Google CA cert is this https://pki.google.com/GIAG2.crt .

    More info on the certificate can be found from here

    Then within the Dockerfile , you will need to do something like this

    cp GIAG2.crt /usr/local/share/ca-certificates/GIAG2.crt
    update-ca-certificates
    
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题