Apurva Nandan
Aug 19, 2016, 2:56:56 AM8/19/16
to Google App Engine
Hello everyone,
I was just trying out the task queue api and have a doubt on the authentication part. As I understand the queue will keep the tasks in it and will send at the rate defined by the user. My question is : If my task handler is secured in such a way that it requires an authentication token (in my case OAuth 2.0) and till the time it actually receives the task the token has already expired (while sitting idle in the queue and waiting to go out), how would you solve this issue?
I am relatively new to this API so I could be missing a few key points here but in any case, please feel free to pitch in your views and suggestions.
- Apurva
I was just trying out the task queue api and have a doubt on the authentication part. As I understand the queue will keep the tasks in it and will send at the rate defined by the user. My question is : If my task handler is secured in such a way that it requires an authentication token (in my case OAuth 2.0) and till the time it actually receives the task the token has already expired (while sitting idle in the queue and waiting to go out), how would you solve this issue?
I am relatively new to this API so I could be missing a few key points here but in any case, please feel free to pitch in your views and suggestions.
- Apurva
Adam (Cloud Platform Support)
Aug 21, 2016, 1:29:59 PM8/21/16
to Google App Engine
Are you using push queues or pull queues? Are you referring to the REST API or the App Engine API?
Evan Jones
Aug 22, 2016, 3:21:22 PM8/22/16
to Google App Engine
Our solution: in App Engine we "trust" the task queue header(s), since there are guarantees that it cannot be inserted by anything outside of app engine. We look for that header, and automatically consider the request authenticated. See the docs for the header names and details.
If you are using the REST API, maybe there is something similar that guarantees the request came from the Task Queues?
On Friday, August 19, 2016 at 2:56:56 AM UTC-4, Apurva Nandan wrote:
Nick
Aug 23, 2016, 6:19:44 PM8/23/16
to Google App Engine
The task queue can invoke admin secured urls when you use push, which would normally require IAM access. If you set it up like that (assuming you can trust your admins) all invocations can be trusted, regardless of headers etc.
Presumably in this case you'll still need to send a user identifier for context, but you can assume the operation was authorized by the call that queued the task.
Adam (Cloud Platform Support)
Aug 23, 2016, 6:53:01 PM8/23/16
to Google App Engine
To clarify the above, your task handler only gets called when it's time for the task to actually run, not when the task gets first placed in the queue, so there isn't a chance that you'll need to deal with an expired auth token.
If you're using push queues, it's sufficient to protect your task handler URL with 'login: admin' since push queues handlers live on and are issued by App Engine, which will always be able to authenticate. See 'Securing Task Handlers'.
If you have a pull queue, your task handler is either calling the Task Queue REST API every time it needs to lease a task which requires OAuth authentication, or you're doing it from within App Engine as well which uses the application credentials. See 'Using Pull Queues'.
Apurva Nandan
Aug 27, 2016, 10:11:58 AM8/27/16
to google-a...@googlegroups.com
Hello everyone,
Thanks for your insights and suggestions. However, I will explain my setup again as Queue queue = QueueFactory.getDefaultQueue();
queue.add(TaskOptions.Builder.withUrl("/api/tasks/indexLine").header("Authorization", token).param("linejson", linejson));
The task handler url is secured by using spring security framework by Oauth 2.0 tokens. Hence I pass an additional authorization header to the task for authentication. Now in case this oauth2.0 authorization token expires while sitting in the queue then whenever the task actually runs, the handler will return a 401 unauthorized error.
--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/FTbKR62589o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/77248dbc-840b-419e-b68f-d96f6ba62d16%40googlegroups.com.
Adam (Cloud Platform Support)
Aug 27, 2016, 3:59:27 PM8/27/16
to Google App Engine
In your particular case no, there's no way to make the App Engine task queue retry a task with a different header if it fails.
I would recommend against using Spring Security framework to secure App Engine task handlers for this very reason, since App Engine already uses OAuth2.0 to secure the handler and using 'login: admin' will prevent anyone but App Engine and application administrators from accessing it.
On Saturday, August 27, 2016 at 10:11:58 AM UTC-4, Apurva Nandan wrote:
- ApurvaIs there anyway by which the task queue would check that the task got a 401 error and then it could ask for a refresh token and then call the handler with that token.I am using a push queue and app engine api to submit tasks to the default queue.Hello everyone,Thanks for your insights and suggestions. However, I will explain my setup again as
Queue queue = QueueFactory.getDefaultQueue();
queue.add(TaskOptions.Builder.withUrl("/api/tasks/indexLine").header("Authorization", token).param("linejson", linejson));
The task handler url is secured by using spring security framework by Oauth 2.0 tokens. Hence I pass an additional authorization header to the task for authentication. Now in case this oauth2.0 authorization token expires while sitting in the queue then whenever the task actually runs, the handler will return a 401 unauthorized error.
Reply all
Reply to author
Forward
0 new messages