Accessing pub/sub directly with JWT token
2,637 views
Skip to first unread message
Dominic Pentony
Dec 16, 2020, 12:24:20 PM12/16/20
to Google Cloud Pub/Sub Discussions
Hi
I have been reading this document https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth. Will this work with Pub/Sub?
It says to look here to check which API's are supported: https://github.com/googleapis/googleapis.
Found pubsub listed here. https://github.com/googleapis/googleapis/tree/master/google
But when I tried that, I got an error which makes no sense as API key is not supported by Pub/Sub.
I have been reading this document https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth. Will this work with Pub/Sub?
It says to look here to check which API's are supported: https://github.com/googleapis/googleapis.
Found pubsub listed here. https://github.com/googleapis/googleapis/tree/master/google
But when I tried that, I got an error which makes no sense as API key is not supported by Pub/Sub.
{
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
I am trying to use pub/sub to record impressions from a browser.
Thanks
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
I am trying to use pub/sub to record impressions from a browser.
Thanks
Monica (Google Cloud Platform)
Dec 17, 2020, 3:32:21 PM12/17/20
to Google Cloud Pub/Sub Discussions
Hello,
Yes, the JWT mechanism is used by Pub/Sub, see here the authentication documentation. You could also address this StackOverflow post that might address your use case or open a new one where you present what you have tried and present the full error to be resolved.
As regarding the 403 error you get, please verify that you have a valid service account key JSON file in the location you stored and that the variable points to the correct place.
As regarding the 403 error you get, please verify that you have a valid service account key JSON file in the location you stored and that the variable points to the correct place.
Dominic Pentony
Dec 21, 2020, 6:55:55 PM12/21/20
to Google Cloud Pub/Sub Discussions
Hi Monica,
Thanks very much for the information. I worked out the 403 error. My mistake. I copied the string off a web page and left a space in the front.
Dominic
Thanks very much for the information. I worked out the 403 error. My mistake. I copied the string off a web page and left a space in the front.
Dominic
Dominic Pentony
Dec 30, 2020, 8:19:51 PM12/30/20
to Google Cloud Pub/Sub Discussions
Hi,
I have not been able to get the JWT mechanism to work. Have been getting this error.
{ "error": { "code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED" } }
Response Header :
HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="https://accounts.google.com/" Vary: Origin Vary: X-Origin Vary: Referer Content-Type: application/json; charset=UTF-8 Date: Thu, 31 Dec 2020 00:46:31 GMT Server: ESF Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Transfer-Encoding: chunked
This is an example of the payload (header and claim set).
Dominic
I have not been able to get the JWT mechanism to work. Have been getting this error.
{ "error": { "code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED" } }
Response Header :
HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="https://accounts.google.com/" Vary: Origin Vary: X-Origin Vary: Referer Content-Type: application/json; charset=UTF-8 Date: Thu, 31 Dec 2020 00:46:31 GMT Server: ESF Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Transfer-Encoding: chunked
This is an example of the payload (header and claim set).
{"kid":"7c1~645","typ":"JWT","alg":"RS256"}.
{
"sub":"ad~ery@cm-~.iam.gserviceaccount.com",
"iss":"ad~ery@cm-~.iam.gserviceaccount.com",
"exp":1609379189,
"iat":1609375589
}. (above data signed with private key)
So I have reverted to the Access token method. Not a big issue but would have been good to get the JWT mechanism to work. I will continue to try the JWT mechanism in my own time but for my work project, I will be using the access token method. Dominic
Joaquim Suazo
Jan 4, 2021, 7:09:08 AM1/4/21
to Google Cloud Pub/Sub Discussions
Hi,
Google Groups are reserved for general product discussion, StackOverflow for technical questions whereas Issue Tracker for product issues (unexpected behaviors) and feature requests.
As this is quite a technical question I would recommend you using the StackOverflow channel, the scope of the questions reach a greater tech community so they are likely to be answered faster.
Please read the Community Support article [1] for better understanding.
-------------------------------------------
Kir Titievsky
Jan 27, 2021, 1:51:35 PM1/27/21
to Dominic Pentony, Google Cloud Pub/Sub Discussions
Dominic, Sorry about the confusion. API Key authentication is not supported by the Pub/Sub API. See: https://cloud.google.com/pubsub/docs/authentication
--
You received this message because you are subscribed to the Google Groups "Google Cloud Pub/Sub Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cloud-pubsub-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cloud-pubsub-discuss/90530bc0-8f0e-40d8-b600-e0c7390eeb7cn%40googlegroups.com.
Kir Titievsky | Product Manager | Google Cloud Pub/Sub
Kir Titievsky
Jan 27, 2021, 1:52:34 PM1/27/21
to Dominic Pentony, Google Cloud Pub/Sub Discussions
Reading your response I wonder if we misunderstood the question. Mind sharing which API call you were trying to make and how you've succeeded?
sal rashid
Dec 20, 2021, 12:24:17 PM12/20/21
to pubsub-discuss
fwiw, for jwt_access_tokens, the audience needs to get set to the service name itself.
i.,e the audience need to be the service, not the scope
here's an example with pubsub from sometime ago
Reply all
Reply to author
Forward
0 new messages