Firebase

Firebase

关注
发信
docker - 如何更新基于Docker的安装的soanr.properties
webserver - 粘贴 (Python) Web 服务器 - 自动重载问题
sqlite - sqlite:插入或更新行,性能问题
c# - 缓存编译的表达式代表
php - 在 Notepad++ 中打开 PHP 必需/包含文件的快速方法
javascript - 如何通过表单传递隐藏值?
linux - sed : just trying to remove a substring
javascript - 使用node.js和socket.io向客户端发送信息时发生延迟
python - 如何从CSV文件的每一行中具有可变数量值的列中提取数据?
c# - 使用 NAudio 播放带有自定义编解码器的 WAV
java - 在java中检索嵌套json中的所有键
Android:如何在 TextView 中对齐文本?
html - Modernizr不会测试w3schools上列出的所有css3功能
c# - WPF自定义控件: DependencyProperty of Collection type
python - 选择 QListView 中的所有项目并在更改目录时取消选择所有项目

firebase - 使用Cloud Endpoints和Firebase调用ESP时出现“409 Audience not allowed”错误

扫码查看

我一直在研究gRPC服务,该服务要求能够从经过Firebase身份验证的浏览器接收 call 。我一直在处理所有问题,直到出现409错误,但似乎找不到更多信息。

我将尝试提供尽可能多的信息。

代码

这是我的K8S list 

apiVersion: v1
kind: Service
metadata:
  name: esp-grpc-environment
spec:
  ports:
  # Port that accepts gRPC and JSON/HTTP2 requests over HTTP.
  - port: 80
    targetPort: 9090
    protocol: TCP
    name: http2
  selector:
    app: esp-grpc-environment
  type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: esp-grpc-environment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: esp-grpc-environment
    spec:
      containers:
      - name: esp
        image: gcr.io/endpoints-release/endpoints-runtime:1
        args: [
          "--http_port=9090",
          "--service=environment.endpoints.<project_id>.cloud.goog",
          "--rollout_strategy=managed",
          "--backend=grpc://127.0.0.1:8000",
          "--cors_preset=basic",
          "--cors_allow_headers=Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization",
          "--cors_expose_headers=grpc-status,grpc-message,authorization",
          "--enable_debug"
        ]
        ports:
          - containerPort: 9090
      - name: environment
        image: terrariumai/environment:0.0.1
        imagePullPolicy: Always
        ports:
          - containerPort: 8000

和我的端点配置
type: google.api.Service
config_version: 3

name: environment.endpoints.<project_id>.cloud.goog
title: Environment gRPC API

apis:
  - name: endpoints.terrariumai.environment.Environment

authentication:
  providers:
    - id: firebase
      jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
      issuer: https://securetoken.google.com/<project_id>
  rules:
    - selector: "*"
      requirements:
        - provider_id: firebase

usage:
  rules:
    - selector: endpoints.terrariumai.environment.Environment.CreateEntity
      allow_unregistered_calls: true

这是我的服务配置的链接

Service Config

这就是我调用API的方式
import {
CreateEntityRequest
} from "../api/environment_pb";

this.props.firebase
      .auth()
      .currentUser.getIdToken(/* forceRefresh */ true)
      .then(function(idToken) {
        var service = new EnvironmentClient(addr, null, null);
        var request = new CreateEntityRequest();
        var metadata = {
          authorization: `Bearer ${idToken}`
        };
        console.log(idToken);
        service.createEntity(request, metadata, (err, resp) => {
          if (err) {
            console.log("Got error: ", err);
          }
          console.log("Resp: ", resp);
        });
      })

错误

所以在这一点上,我在浏览器中收到此错误
POST http://<external-ip>/endpoints.terrariumai.environment.Environment/CreateEntity 403 (Forbidden)

这是来自/var/log/nginx/error.log的相关内容(但不是全部,我认为这应该足够了)
2019/07/11 00:06:44 [debug] 9#9: *8 HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 11 Jul 2019 00:06:44 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Bearer, error="invalid_token"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization
Access-Control-Expose-Headers: grpc-status,grpc-message,authorization

2019/07/11 00:06:44 [debug] 9#9: *8 write new buf t:1 f:0 000056541D4E9778, pos 000056541D4E9778, size: 618 file: 0, size: 0
2019/07/11 00:06:44 [debug] 9#9: *8 http write filter: l:0 f:0 s:618
2019/07/11 00:06:44 [debug] 9#9: *8 http output filter "/endpoints.terrariumai.environment.Environment/CreateEntity?"
2019/07/11 00:06:44 [debug] 9#9: *8 ESP error message: JWT validation failed: Audience not allowed
2019/07/11 00:06:44 [debug] 9#9: *8 send error response: {
 "code": 7,
 "message": "JWT validation failed: Audience not allowed",
 "details": [
  {
   "@type": "type.googleapis.com/google.rpc.DebugInfo",
   "stackEntries": [],
   "detail": "auth"
  }
 ]
}

我真的不确定如何进一步调试它。我尝试查找此文件,但我只能找到的唯一文档说Firebase可能在标题中设置了不正确的“aud”值?任何见识将不胜感激!

最佳答案

发生“不允许受众”错误,因为您的服务配置未在Firebase生成的 token 中明确列出“aud”声明的接受值。

Cloud Endpoints文档说明了如何在Open API文档中配置受众检查Firebase token :https://cloud.google.com/endpoints/docs/openapi/authenticating-users-firebase

在服务配置消息中,相关字段为authentication.providers.audiences。

authentication:
  providers:
    - id: firebase
      jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
      issuer: https://securetoken.google.com/<project_id>
      audiences:
        - <project_id>

关于firebase - 使用Cloud Endpoints和Firebase调用ESP时出现“409 Audience not allowed”错误,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56981740/

10-13 03:44
查看更多
Powered by LMLPHP ©2025 Firebase 0.028501