问题描述
我正在尝试将服务设置为服务认证,以便外部应用程序可以向Cloud Run应用程序(在Cloud Endpoints API网关之后)发出请求.
I am trying to set up service to service authentication so an external application can make requests to a Cloud Run application (behind a Cloud Endpoints API gateway).
我已遵循Cloud Endpoints 服务之间的身份验证文档,但是在尝试访问Cloud Run服务时,我仍然收到以下错误:
I have followed the Cloud Endpoints authentication between services documentation, however I continue to receive the following error when trying to reach the Cloud Run service:
在openapi规范中,我设置了端点安全性和安全性定义:
Within the openapi spec, I have setup endpoint security and securityDefinition:
/endpoint_1:
get:
...
security:
- service_account: []
securityDefinitions:
service_account:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "<service_account_email>"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/<service_account_email>"
x-google-audiences: "https://<cloud-run-service>-pjcfvhz2qq-uc.a.run.app"
然后按照 Cloud Endpoints文档.
部署所有内容后,我试图从本地计算机运行以下脚本以生成签名的jwt并向Cloud Run服务发出请求:
After everything is deployed, I am trying to run the following script from my local machine to generate a signed jwt and make a request to the Cloud Run service:
import os
import json
import time
import requests
import google.auth.crypt
import google.auth.jwt
now = int(time.time())
expiry_length = 3600
sa_email = '<service_account_email>'
payload = {
'iat': now,
'exp': now + expiry_length,
'iss': sa_email,
'sub': sa_email,
'email': sa_email,
'aud': 'https://<cloud-run-service>-pjcfvhz2qq-uc.a.run.app',
}
file_path = "service-account.json"
signer = google.auth.crypt.RSASigner.from_service_account_file(file_path)
signed_jwt = google.auth.jwt.encode(signer, payload)
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt.decode('utf-8')),
'content-type': 'application/json',
}
url = "https://<cloud-run-service>-pjcfvhz2qq-uc.a.run.app/endpoint_1"
res = requests.get(url, headers=headers)
print(res.json())
获取请求的响应:
已在openapi规范中将发布者指定为与生成JWT所使用的发布者相匹配的服务帐户电子邮件.
The issuer has been specified on the openapi spec as the service account email which matches the issuer used with generating the JWT.
任何关于未配置 Jwt颁发者实际含义的指南,都将受到赞赏.
Any guidance on what Jwt issuer is not configured actually means, is appreciated.
推荐答案
我认为您需要Google签名的JWT令牌,而不是自签名的令牌.尝试以此更改代码的结尾(在您的 signed_jwt = ...
行之后)
I think you need a Google signed JWT token and not a self signed token. Try to change the end of your code with this (after your signed_jwt = ...
line)
auth_url = "https://www.googleapis.com/oauth2/v4/token"
params = {
'assertion': signed_jwt, # You may need to decode the signed_jwt: signed_jwt.decode('utf-8')
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
}
r = requests.post(auth_url, data=params)
if r.ok:
id_token = r.json()['id_token']
headers = {
'Authorization': 'Bearer {}'.format(id_token),
'content-type': 'application/json',
}
url = "https://<cloud-run-service>-pjcfvhz2qq-uc.a.run.app/endpoint_1"
res = requests.get(url, headers=headers)
print(res.json())
# For debugging
print(r)
print(vars(r))
这篇关于未配置返回401 Jwt颁发者的Cloud Endpoints的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!