Comments (7)
once I added x-google-allow: all
This seems to have started working.
from esp.
Okay now it's not working again.
from esp.
Can you clarify your deployment architecture? Are you using ESPv2 on Cloud Run, API Gateway, or ESP as a sidecar on GKE/GCE? Is your backend an OpenAPI REST backend?
from esp.
If you are talking about frontend authentication (having ESP verify the JWT from the client is valid), you can configure it per-method. From https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id#configuring_esp_to_support_client_authentication
Add a security section at either the API level to apply to the entire API, or at the method level to apply to a specific method.
So you can apply the auth to all your methods except the token service ones.
from esp.
We are using API-GW to call Cloud Functions. Here is some of our API Config.
x-google-backend:
address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-be-198765"
disable_auth: true
x-google-allow: all
securityDefinitions:
accept-jwt-from-svc-acct:
...
security:
- accept-jwt-from-svc-acct: []
paths:
/functionHello:
get:
summary: test cloud function
operationId: test
x-google-backend:
address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
disable_auth: true
responses:
'200':
description: success
/functionSecured:
get:
summary: test a secured function
operationId: "secure test"
x-google-backend:
address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
disable_auth: false
It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt. However when I call some random endpoint like joke I go to the backend and that doesn't require auth.
from esp.
I see 2 issues here.
It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt.
There are two different JWT tokens that ESPv2 / API-GW handles:
Client app ----- (client JWT) -----> ESPv2 ------ (ESPv2 JWT) -----> Cloud Function Backend
You want to configure access control for the client JWT, not the ESPv2 JWT. x-google-backend.disable_auth
is configuring how ESPv2 generates the ESPv2 JWT to call the CF Backend (notice it is in the x-google-backend section).
Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#disable_auth
You can remove these disable_auth
lines. Instead, you configure security via accept-jwt-from-svc-acct
at a per-method level.
However when I call some random endpoint like joke I go to the backend and that doesn't require auth.
That is because you set x-google-allow: all
. This allows unregistered paths like /joke
to pass through to the backend. I suggest you remove this configuration. Please also remove the top-level x-google-backend
Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-allow
I captured all the changes in the config below:
# >>> Remove top-level x-google-backend <<<
securityDefinitions:
accept-jwt-from-svc-acct:
...
# >>> Remove top-level security <<<
paths:
/functionHello:
get:
summary: test cloud function
operationId: test
x-google-backend:
address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
# >>> Remove disable_auth <<<
responses:
'200':
description: success
/functionSecured:
get:
summary: test a secured function
operationId: "secure test"
# >>> Move security to only this method <<<
security:
- accept-jwt-from-svc-acct: []
x-google-backend:
address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
# >>> Remove disable_auth <<<
from esp.
Thank you I got the auth issue solved with this.
from esp.
Related Issues (20)
- esp restarted when it sees RESOURCE_EXHAUSTED from servicemanagement.googleapis.com HOT 1
- GRPC keepalive server side not working HOT 5
- pass zero from grpc to json HOT 2
- argument service_control_network_fail_open is unclear HOT 6
- ESP on Compute Engine : JWT validation failed: Unable to fetch verification key HOT 11
- HTTP Post x-www-form-urlencoded transcoding HOT 6
- No error response supplied from POST request HOT 1
- Logs displayed as ERROR in Log Viewer HOT 1
- Cannot refer to service name using x-google-backend HOT 3
- Quota limit: 429 after waiting more than 1 minute
- JWT validation failed: Unable to fetch verification key HOT 1
- Malformed WWW-Authenticate header payload returned for UNAUTHORIZED response HOT 3
- x-google-jwt-location two entries for a single header HOT 3
- [DELETED]
- RST_STREAM 1 error with GRPC and ESP HOT 13
- ESP build docker failing HOT 1
- Espv1 returns 502/Bad Gateway with code:13 randomly HOT 1
- Modyfing nginx server header
- terminationGracePeriodSeconds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esp.