Google API keys keep working after you delete them long enough to be exploited

16 points by alemi

spiffytech

This is much bigger than Google: this is how most companies and auth services implement JWTs. Stateless revocation is a key selling point at scale.

It's my biggest gripe with JWTs, but the industry seems to accept that it's no big deal?

Interestingly, Google documents a 1 hour expiration for API tokens, but the OP's tests observes invalidation 23 minutes after revocation. So Google is actually accelerating revocation.

colonelpanic

TTL decay or request amplification, pick your poison.

mond

A surprising amounts of posts complaining about Google or GCP are really just "local man discovers rollouts and production safety for the very first time".

examples: this post, people complaining that a feature that's obviously being A/B- tested isn't available for them yet, people complaining that a feature that's slowly ramping up isn't instantly available, people complaining that it takes some amount of time for an enabled something to propagate to some other place, etc.

spc476

There are two parties involved with a key change, Google, and the customer. There's an incentive for Google to not propagate keys "instantaneously" as such an action might cause issues with the customer until the key has fully propagated on their side and thus, increased support costs for Google dealing with a non-issue. And even within Google, propagation of keys takes some time, and as always, the limit is the speed of light.