App Engine Standard - JWT Not passing through
358 views
Skip to first unread message
Robert Coe
Aug 2, 2019, 12:32:53 PM8/2/19
to Google Cloud Endpoints
Hi,
However, I'm finding this to be flat-out WRONG in my case, which is incredibly frustrating. Can anyone help explain what's going on and suggest any solutions?
I've followed the steps on this part of the documentation
I have 2 app engine standard instances and 1 flexible, all set up with IAP enabled. I'm using Auth0 for my authorization, and I would like for the JWT to pass through Endpoints to each one of my applications because there is important user-specific information in the JWT.
Once I try to use endpoints, however, any request sent through the gateway gets the Authorization header either removed or replaced, as each application complains that the JWT is invalid. I'm guessing that this is the JWT from IAP rather than the original Auth0 Authorization header originally passed, since the audience we use for x-google-backend is the IAP client ID, rather than the Auth0 API ID as specified in this documentation:
The ESP documentation states, in multiple places:
"ESP forwards all headers it receives, including the original authorization header, to the API".
Thanks
qiwz...@google.com
Aug 8, 2019, 8:37:03 PM8/8/19
to Google Cloud Endpoints
ESP checks IAP JWT first. If present, try to verify it. You need to setup your service config for ESP to verify IAP JWT. ESP only verifies one JWT. Only successfully verified JWT will be passed to your backend service. JWT token will be forwarded in the header too.
Thanks
-Wayne
jer...@factoryfix.com
Sep 26, 2019, 2:01:49 PM9/26/19
to Google Cloud Endpoints
I am having the same issue with ESP on Cloud Run in front of an API service, also on Cloud Run. ESP is not passing the JWT from the incoming request to the API service. It is sending a completely different JWT in the Authorization header. Am I missing something in the ESP config? Is there a way to tell it not to mangle the Authorization header?
Wayne Zhang
Sep 26, 2019, 2:59:15 PM9/26/19
to Google Cloud Endpoints
ESP doesn't manipulate authorization headers. If jwt verification is configured from your open-api config, then, it will try to find a JWT to verify, and pass the payload to the backend in a new header. It never remove any headers. Here is the doc: https://cloud.google.com/endpoints/docs/openapi/authenticating-users-firebase
Reply all
Reply to author
Forward
0 new messages