App identity error
23 views
Skip to first unread message
Jacob G
Jan 8, 2019, 2:16:03 PM1/8/19
to djangae-users
I'm in the process of switching my application's authentication from django to firebase auth. My djangae application uses the Firebase Admin SDK for Python.
When I first deploy my GAE application (or update it), I can succesfully make Firebase Admin calls on the Auth component, such as get_user or get_user_by_email. But after a while, perhaps 30 or 60 minutes (not sure exactly), these calls start failing with a NotAllowed exception coming from app identity (Default Application Credentials). The stack trace is pasted below.
I've submitted a GCP support ticket about it. But I'm also wondering if it's possibly an issue from using App Engine SDK 57, which djangae is now stuck at.
Has anyone else encountered this problem?
----
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/auth.py", line 252, in get_user_by_email
response = user_manager.get_user(email=email)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/_user_mgt.py", line 397, in get_user
response = self._client.request('post', 'getAccountInfo', json=payload)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/auth.py", line 513, in request
resp = self.session.request(method, self.ID_TOOLKIT_URL + urlpath, **kwargs)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/transport/requests.py", line 198, in request
self._auth_request, method, url, request_headers)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/credentials.py", line 122, in before_request
self.refresh(request)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/app_engine.py", line 118, in refresh
self._scopes, self._service_account_id)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 605, in get_access_token
scopes, service_account_id=service_account_id)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 558, in get_access_token_uncached
return rpc.get_result()
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/apiproxy_stub_map.py", line 615, in get_result
return self.__get_result_hook(self)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 529, in get_access_token_result
raise _to_app_identity_error(err)
NotAllowed
response = user_manager.get_user(email=email)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/_user_mgt.py", line 397, in get_user
response = self._client.request('post', 'getAccountInfo', json=payload)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/auth.py", line 513, in request
resp = self.session.request(method, self.ID_TOOLKIT_URL + urlpath, **kwargs)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/transport/requests.py", line 198, in request
self._auth_request, method, url, request_headers)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/credentials.py", line 122, in before_request
self.refresh(request)
File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/app_engine.py", line 118, in refresh
self._scopes, self._service_account_id)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 605, in get_access_token
scopes, service_account_id=service_account_id)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 558, in get_access_token_uncached
return rpc.get_result()
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/apiproxy_stub_map.py", line 615, in get_result
return self.__get_result_hook(self)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 529, in get_access_token_result
raise _to_app_identity_error(err)
NotAllowed
Jacob G
Jan 9, 2019, 12:55:28 PM1/9/19
to djangae-users
I have a theory what's going on... If I remote shell into my GAE application (remote api), it will stub a bunch of the GAE services into my local SDK runtime, including memcache. It seems that the app identity stuff gets stored in memcache. So perhaps it's copying my local machine default application credentials into the remote memcache, which then replaces the true remote app engine service account credentials that are cached (at least perhaps the access token is cached). I don't have this problem with pubsub, because I think pubsub allows my google login account creds to be used to authenticate. But it looks like Firebase Auth requires service account credentials, i.e., blocks my google logon account creds to be used in Admin API calls.
There's also this stackoverflow talking about some older versions of gcloud shell where the remote shell breaks application default creds:
I'm not sure if it's related.
In any event, remote api is gone from GAE Python 3.7, so it's not really a use case moving forward. They want you to gcloud shell with your own creds directly calling services without going through app engine instances. That's where the concept of Djangae datastore connector for Python 3.7 will really shine!
Jacob G
Jan 14, 2019, 11:59:31 AM1/14/19
to djangae-users
In case anyone ever runs into this... I ended up fixing the issue by initializing the firebase admin app per-request, as noted here:
Adam Alton
Jan 15, 2019, 6:11:36 AM1/15/19
to Jacob G, djangae-users
Thanks for posting back with the fix that worked!
On Mon, 14 Jan 2019 at 16:59, Jacob G <ja...@fareclock.com> wrote:
In case anyone ever runs into this... I ended up fixing the issue by initializing the firebase admin app per-request, as noted here:
--
You received this message because you are subscribed to the Google Groups "djangae-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to djangae-user...@googlegroups.com.
To post to this group, send email to djanga...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/djangae-users/7e4f4984-68f1-4da4-abbd-da85cde23d18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages