Some endpoints need auth others dont. about esp HOT 7 CLOSED

once I added x-google-allow: all This seems to have started working.

from esp.

Okay now it's not working again.

from esp.

Can you clarify your deployment architecture? Are you using ESPv2 on Cloud Run, API Gateway, or ESP as a sidecar on GKE/GCE? Is your backend an OpenAPI REST backend?

from esp.

If you are talking about frontend authentication (having ESP verify the JWT from the client is valid), you can configure it per-method. From https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id#configuring_esp_to_support_client_authentication

Add a security section at either the API level to apply to the entire API, or at the method level to apply to a specific method.

So you can apply the auth to all your methods except the token service ones.

from esp.

We are using API-GW to call Cloud Functions. Here is some of our API Config.

x-google-backend:
  address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-be-198765"
  disable_auth: true

x-google-allow: all

securityDefinitions:
  accept-jwt-from-svc-acct:
...

security:
  - accept-jwt-from-svc-acct: []

paths:
  /functionHello:
    get: 
      summary: test cloud function
      operationId: test
      x-google-backend: 
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        disable_auth: true 
      responses: 
        '200':
          description: success
  /functionSecured:
    get: 
      summary: test a secured function
      operationId: "secure test"
      x-google-backend:
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        disable_auth: false

It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt. However when I call some random endpoint like joke I go to the backend and that doesn't require auth.

from esp.

I see 2 issues here.

It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt.

There are two different JWT tokens that ESPv2 / API-GW handles:

Client app ----- (client JWT) -----> ESPv2 ------ (ESPv2 JWT) -----> Cloud Function Backend

You want to configure access control for the client JWT, not the ESPv2 JWT. x-google-backend.disable_auth is configuring how ESPv2 generates the ESPv2 JWT to call the CF Backend (notice it is in the x-google-backend section).

Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#disable_auth

You can remove these disable_auth lines. Instead, you configure security via accept-jwt-from-svc-acct at a per-method level.

However when I call some random endpoint like joke I go to the backend and that doesn't require auth.

That is because you set x-google-allow: all. This allows unregistered paths like /joke to pass through to the backend. I suggest you remove this configuration. Please also remove the top-level x-google-backend

Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-allow

I captured all the changes in the config below:

# >>> Remove top-level x-google-backend <<<

securityDefinitions:
  accept-jwt-from-svc-acct:
...

# >>> Remove top-level security <<<

paths:
  /functionHello:
    get: 
      summary: test cloud function
      operationId: test
      x-google-backend: 
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        # >>> Remove disable_auth <<<
      responses: 
        '200':
          description: success
  /functionSecured:
    get: 
      summary: test a secured function
      operationId: "secure test"
      # >>> Move security to only this method <<<
      security:
        - accept-jwt-from-svc-acct: []
      x-google-backend:
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        # >>> Remove disable_auth <<<

from esp.

Thank you I got the auth issue solved with this.

from esp.