bookstore gRPC sample with the auth0 authentication provider.

874 views
Skip to first unread message

marknutt...@gmail.com

unread,
May 29, 2017, 3:41:08 PM5/29/17
to Google Cloud Endpoints
Hi,
I'm trying to get the bookstore gRPC sample working with an auth0 authentication provider.

The only change that I've made to the api_config.yaml in the guide is to add the authentication stanza (apart from updating the service name of course).

authentication:
  providers:
  - id: auth0_jwk
    issuer: https://myapp.auth0.com/
    jwks_uri: "https://myapp.auth0.com/.well-known/jwks.json"
  rules:
  - selector: "*"
    requirements:
      - provider_id: auth0_jwk

I've acquired a bearer token from auth0 using their http interface:

curl --request POST \
  --url https://myapp.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"...","client_secret":"...","audience":"myapp.endpoints.myapp-167610.cloud.goog","grant_type":"client_credentials"}'

which I've provided as an argument to the client script 

python bookstore_client.py --host 35.187.160.23 --port 80 --auth_token $token

However, I only ever receive the following error when I try to call a protected api method:

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNAUTHENTICATED, JWT validation failed: Missing or invalid credentials)>

Can anyone shed some light on what I'm doing wrong?

Thanks, Mark

Mark Nuttall-Smith

unread,
May 30, 2017, 1:36:51 AM5/30/17
to Google Cloud Endpoints
A few more details:

When I decode the auth token using jwt.io I see the following payload:

{
  "sub": "52KrE3Xvkfdsfsfsdfsdfsfdssl6HaQAOajO@clients",
  "exp": 1496173209,
  "iat": 1496086809,
  "scope": ""
}

However, I also get an Invalid Signature warning, even when putting the jwks x5c certificate chain in the RS256 certificate field.

Advice gratefully received :)

Mark Nuttall-Smith

unread,
May 30, 2017, 9:51:49 AM5/30/17
to Google Cloud Endpoints
Well, about the jwt.io invalid signature error - apparently the ----BEGIN/END CERTIFICATE--- lines are necessary for the JWT to validate. After adding that jwt.io validates the JWT correctly.

Still failing to authenticate with the endpoint though... 

Mark Nuttall-Smith

unread,
May 30, 2017, 1:25:41 PM5/30/17
to Google Cloud Endpoints
I read the problem and resolution here, thinking it might be my trouble too... but alas, I am correctly using a RS256 signed JWT.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "REMyRDA5RDNBODcyRDVDRDc2QjdCRUUxQTVBQkE3N0NCQTBDNzlBMw"
}

Please, any help would be most welcome! 

Sarvani Vakkalanka

unread,
May 30, 2017, 1:28:42 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
Hi Mark,

The Missing or invalid credentials means that endpoints did not receive the token in the headers or if there is no "Bearer" field in the authorization header or it is being misspelled. I tried the sample on my end and it is working for me. 
Could you also check that there are no changes in your bookstore-client.py file? This is just to ensure that there were no accidental changes.

Could you run the following and check the logs for me?

$kubectl get pods
NAME                                  READY     STATUS    RESTARTS   AGE
esp-grpc-bookstore-3662478140-hr78w   2/2       Running   0          13m


The above is an example, your Pods name could be different. 
Get the name of the pod and run the following.
$kubectl logs YOUR-POD-NAME esp

Could you provide the logs? 

Thanks,
Sarvani






--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/010cb1c1-f783-4add-9f80-f0d3b299df39%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Mark Nuttall-Smith

unread,
May 30, 2017, 1:37:49 PM5/30/17
to Google Cloud Endpoints, marknutt...@gmail.com
Hi Sarvani,

Details from GKE:

iMac:Projects markns$ kubectl get pods
NAME                                  READY     STATUS    RESTARTS   AGE
esp-grpc-bookstore-1601659560-86h33   2/2       Running   0          21h

iMac:Projects markns$ kubectl logs esp-grpc-bookstore-1601659560-86h33 -c esp
10.0.0.1 - - [30/May/2017:17:20:09 +0000] "POST /endpoints.examples.bookstore.Bookstore/GetShelf HTTP/2.0" 401 125 "-" "grpc-python/1.3.5 grpc-c/3.0.0 (osx; chttp2; gentle)"
10.0.0.1 - - [30/May/2017:17:21:54 +0000] "POST /endpoints.examples.bookstore.Bookstore/GetShelf HTTP/2.0" 401 125 "-" "grpc-python/1.3.5 grpc-c/3.0.0 (osx; chttp2; gentle)"
10.0.0.1 - - [30/May/2017:17:22:21 +0000] "POST /endpoints.examples.bookstore.Bookstore/GetShelf HTTP/2.0" 401 125 "-" "grpc-python/1.3.5 grpc-c/3.0.0 (osx; chttp2; gentle)"

I did modify the bookstore_client.py script to call an authenticated method:

if auth_token:
    metadata.append(('authorization', 'Bearer ' + auth_token))
# shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata)
stub.GetShelf(bookstore_pb2.GetShelfRequest(shelf=1))

So, "Missing or invalid credentials" wouldn't ever mean that the token was not valid?

Thanks for helping :)

Sarvani Vakkalanka

unread,
May 30, 2017, 1:41:57 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
Hi Mark,

I think the problem is with your change. In your openapi config, you have enabled authentication for all the methods with "selector=*". Now when you invoke GetShelf, you are not passing the metadata which has the Authorization header with Bearer token. This is causing the proxy to throw an error that it is missing credentials. Could you try passing in the metadata as it is being done in ListShelves method?

Thanks,
Sarvani

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/0e9eeeda-68b6-41da-970e-7421d6fdb3a4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
May 30, 2017, 1:42:46 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
Also, if the token were not valid, it will give you a different error. The Invalid part here refers to the header part. Hope this helps. 




--
Thanks,
Sarvani



--
Thanks,
Sarvani

Mark Nuttall-Smith

unread,
May 30, 2017, 1:52:29 PM5/30/17
to Google Cloud Endpoints, marknutt...@gmail.com
Oh my! How can I have missed that! I'm so much more familiar with the python than all the other components, that I completely neglected to check it. #embarrassed ;)

I do actually now receive a different error - 

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNAUTHENTICATED, Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.)>

I have one doubt, if you would be so kind to put it to rest. Is it correct to have both the usage, and authentication blocks in the api_config?

usage:
  rules:
  # ListShelves methods can be called without an API Key.
  - selector: endpoints.examples.bookstore.Bookstore.ListShelves
    allow_unregistered_calls: true


authentication:
  providers:
  - id: auth0_jwk
    issuer: https://myapp.auth0.com/
    jwks_uri: "https://myapp.auth0.com/.well-known/jwks.json"
  rules:
  - selector: "*"
    requirements:
      - provider_id: auth0_jwk


Thanks,
Mark

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
May 30, 2017, 2:43:32 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
Hi Mark,
No issues. Glad that you are unblocked now.

Yes. The Usage part allows you to "allow unregistered calls" for a method. If you do this, you can invoke your API without an API key to your method. The Authentication part is the configuration to validate your JWT tokens. They describe two different authentication mechanisms and can both exist in your open api specification.

Thanks,
Sarvani


To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/4942d039-679e-48ed-8c87-fd116dd72beb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Mark Nuttall-Smith

unread,
May 30, 2017, 3:58:39 PM5/30/17
to Google Cloud Endpoints, marknutt...@gmail.com
Hi Sarvani,

Thanks a lot for the help so far. Unfortunately I still can't get the authenticated call working. The error is still as I mentioned before:

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNAUTHENTICATED, Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.)>

The esp logs have a warning (in bold below) that might be relevant?

iMac:bookstore markns$ kubectl logs esp-grpc-bookstore-3787023055-g4wzd esp -f
INFO:Fetching an access token from the metadata service
INFO:Fetching the service configuration from the service management service
nginx: [warn] Using trusted CA certificates file: /etc/nginx/trusted-ca-certificates.crt
10.0.0.1 - - [30/May/2017:19:47:45 +0000] "POST /endpoints.examples.bookstore.Bookstore/GetShelf HTTP/2.0" 403 118 "-" "grpc-python/1.3.5 grpc-c/3.0.0 (osx; chttp2; gentle)"
2017/05/30 19:47:45[warn]9#9: Received non-matching report response service config ID: '', requested: '2017-05-30r0'
10.0.0.1 - - [30/May/2017:19:50:53 +0000] "POST /endpoints.examples.bookstore.Bookstore/GetShelf HTTP/2.0" 401 200 "-" "grpc-python/1.3.5 grpc-c/3.0.0 (osx; chttp2; gentle)"

I'm pretty confused - the requested id is definitely available in service-management:

iMac:bookstore markns$ gcloud service-management configs list --service bookstore2.endpoints.myapp-167610.cloud.goog
CONFIG_ID     SERVICE_NAME
2017-05-30r0  bookstore2.endpoints.myapp-167610.cloud.goog

Any ideas?

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/4942d039-679e-48ed-8c87-fd116dd72beb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
May 30, 2017, 4:21:57 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
Hi Mark,

You will need to generate an API key and use it as follows:

Please use the following link to set up an API key:


Copy your key as followis:

API_KEY="<PASTE YOUR KEY HERE>

Invoke your python client as follows:

python bookstore-client.py --host ... --port ... --auth_token ... --api_key $API_KEY

Thanks,
Sarvani



To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c7130e0f-fb10-4bfa-9d4e-24cabb0dedd8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Mark Nuttall-Smith

unread,
May 30, 2017, 4:41:37 PM5/30/17
to Google Cloud Endpoints, marknutt...@gmail.com
Aha! It works! 

I assumed that, since I'm using auth0 and the returned auth_token, an API key wouldn't be necessary. My understanding was that API keys were for non-interactive clients and auth_tokens for user logins. Now I see that the API key allows to identify the calling application as well as the user. 

Thanks very much,
Mark



To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c7130e0f-fb10-4bfa-9d4e-24cabb0dedd8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
May 30, 2017, 4:52:44 PM5/30/17
to Mark Nuttall-Smith, Google Cloud Endpoints
You are welcome.

Aha! It works! 


Thanks very much,
Mark



To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/14ed1bd5-4cf4-46ce-be5e-30fbc5577306%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

ral...@gmail.com

unread,
Dec 29, 2017, 9:19:04 PM12/29/17
to Google Cloud Endpoints
The hole point of using service accounts is to *not* use api keys. Why is this necessary?
You are welcome.

Aha! It works! 


Thanks very much,
Mark



To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/14ed1bd5-4cf4-46ce-be5e-30fbc5577306%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Mark Nuttall-Smith

unread,
Dec 30, 2017, 4:45:50 AM12/30/17
to ral...@gmail.com, Google Cloud Endpoints
There are a few reasons, but the most salient for me was this: The API key is used to track API requests associated with your project for quota and billing.


You are welcome.

Aha! It works! 


Thanks very much,
Mark



To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-endpoints/-bwXijZEPyo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/90f888f9-683d-4e02-a282-00b517ed7501%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages