endpoints 2.0 seems to generate incorrect openapi.json for api_key and firebase auth together

[Walter Hsueh]

hi,

I am building a Firebase app using endpoints 2.0 (register, login, refresh) based off the echo example. The Java class has annotations for both ApiIssuer and apiKeyRequired:

@Api(name = "account", version = "v1", title = "Account API", description = "Account Central API for managing user registration and authentication", namespace = @ApiNamespace(ownerDomain = "******.com", ownerName = "****** Inc.", packagePath = ""), issuers = {

        @ApiIssuer(name = "firebase", issuer = "https://securetoken.google.com/******", jwksUri = "https://www.googleapis.com/robot/v1/metadata/x509/secur...@system.gserviceaccount.com") }, issuerAudiences = {

                @ApiIssuerAudience(name = "firebase", audiences = { "******" }) }, apiKeyRequired = AnnotationBoolean.TRUE)

if it only has apiKeyRequired, then the openapi.json has api_key present, and I've verified that this works by itself:

    "security": [

     {

      "api_key": [ ]

     }

    ],

If it only has @ApiIssuer, then the openapi.json has firebase and x-security present, and I've verified that this works by itself:

    "security": [

     {

      "firebase": [ ]

     }

    ],

    "x-security": [

     {

      "firebase": {

       "audiences": [

        "****"

       ]

      }

     }

    ]

With both annotations, it's a combination of the two, but the highlight seems to be incorrect json.

    "security": [

     {

      "firebase": [ ]

     },

     {

      "api_key": [ ]

     }

    ],

    "x-security": [

     {

      "firebase": {

       "audiences": [

        "****"

       ]

      }

     }

    ]

When I deploy the openapi.json, I get errors:

WARNING: openapi.json: Operation 'post' in path '/account/v1/change_password': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.

In a previous post about apikey and gwt for python in April, there is a reference to this json format:

"security": [

{

"api_key": [],

"google_jwt": []

}

],

I modified my json by getting rid of the extra enclosures, and now I have both firebase oauth and api_key security schemes:

    "security": [

     {

      "firebase": [ ],

      "api_key": [ ]

     }

    ],

    "x-security": [

     {

      "firebase": {

       "audiences": [

        "****"

       ]

      }

     }

    ]

This appears to be a bug in the openapi.json generation using endpoints framework 2.0.7. We are building in Java with com.google.api.server.spi.tools.EndpointsTool.

sincerely,

walterh

[D. T.]

Walter, why is that incorrect JSON? I think if you paste it into a JSON validator, it will show that it's valid. The spec is generated using a JSON framework, it's not manually printed, so it's highly unlikely to be invalid.

On Wednesday, May 17, 2017 at 9:52:40 AM UTC-7, Walter Hsueh wrote:

hi,

I am building a Firebase app using endpoints 2.0 (register, login, refresh) based off the echo example. The Java class has annotations for both ApiIssuer and apiKeyRequired:

@Api(name = "account", version = "v1", title = "Account API", description = "Account Central API for managing user registration and authentication", namespace = @ApiNamespace(ownerDomain = "******.com", ownerName = "****** Inc.", packagePath = ""), issuers = {

        @ApiIssuer(name = "firebase", issuer = "https://securetoken.google.com/******", jwksUri = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com") }, issuerAudiences = {

[klimaszew...@gmail.com]

Thanks for this tip. I've encountered the same issue using gradle plugin. I'm surprised to see such bug in Google product

On Wednesday, 17 May 2017 18:52:40 UTC+2, Walter Hsueh wrote:

hi,

I am building a Firebase app using endpoints 2.0 (register, login, refresh) based off the echo example. The Java class has annotations for both ApiIssuer and apiKeyRequired:

@Api(name = "account", version = "v1", title = "Account API", description = "Account Central API for managing user registration and authentication", namespace = @ApiNamespace(ownerDomain = "******.com", ownerName = "****** Inc.", packagePath = ""), issuers = {

        @ApiIssuer(name = "firebase", issuer = "https://securetoken.google.com/******", jwksUri = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com") }, issuerAudiences = {

[ad...@organizer.com]

Daniel, it may be valid, but it doesn't give correct results. When I have both Firebase and ApiKey annotations as Walter does, I get the warning and I can access my endpoint without providing an API key. If I modify the openapi.json as Walter did and deploy, the API key is required as expected. This is clearly a bug in how the json is generated.

Thanks,

Adam

[D. T.]

Yes, I can see that I misread the original email. We are aware of the issue now. https://github.com/cloudendpoints/endpoints-java/issues/115

Daniel Tang |

Software Engineer |

ta...@google.com |

Google Inc

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/bcc6fa24-a9e6-4385-8503-e6e922154422%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.