Use Firebase authentication as well as retain the Authorization header

[RmR]

Hello:

From the documentation (as I understand), by default Google Endpoints will change the Authorization header when forwarding the request to the desired server/ function. And we can disable this automatic token override by adding  x-google-backend set to disable_auth in the yaml spec. This however will disable firebase user authentication, correct?




What if one requires both.




Suppose one makes a request to the server using the token and if valid passes the token to the backend function so that it can be decoded to extract say the customer id which is required for processing. How does one accomplish that? Thanks




[qiwz...@google.com]

"disable_auth"  in the x-google-backend is referring ESP sending ID token to the backend using Authorization header  This is to secure the backend that only allow ESP to call by using IAM. 

But  if your backend has your own way to protect itself,  e.g. using JWT,  then you don't need to use this feature.  You can setup your backend as allowing allUsers to call.  and set "disable_auth" to true.  By this way,  ESP will preserve "Authorization" header, will not over-write it with ID token.

Yes, for now, you could not have both,  sending ID token for the backend to use IAM,  and also preserve your original authorization header.  Since ESP needs to use the same header to send ID token.

Thanks

-Wayne

[Teju Nareddy]

To add on to Wayne's answer:

If if you set `disable_auth` to true, ESPv2 will still perform Firebase Auth on the JWT token. `disable_auth` will only change the behavior of ESPv2 authenticating to the backend service, it will not change the behavior that clients of ESPv2 see.

[Teju Nareddy]

Hi RmR,

I re-read your question. For your use-case, you actually don't want to set `disable_auth` to true. Keep it as false, then you can still keep your backend authenticated.

ESPv2 will parse the JWT token, verify it, and write the payload to the `X-Endpoint-API-UserInfo`. Your backend can read this header to get the payload. https://cloud.google.com/endpoints/docs/openapi/migrate-to-esp-v2#handle-jwt

[RmR]

Thanks once again @Teju Nareddy and @Wayne. The X-Endpoint-AAPI-UserInfo should do the trick. I am new to Endpoints and this is my first implementation. Hence have some basic questions to ask this group. Many thanks.

[RmR]

I did try to access the `X-Endpoint-API-UserInfo` and decode it (in python, in my case) using: `base64.b64decode(user_info)`. This gives a: `Incorrect padding` error.

I am accessing the `user-info` by request.headers['X-Endpoint-API-UserInfo']. 

Also, I notice that the user_info string is something like:  eyJpc3.....X0. That is it does not end with a =.

~RmR

[Xuyang(Jason) Tao]

Hi RmR, 

It should be OK to parsed by base64 with NoPadding and here is what we tested in golang                    

    `base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(encodedInfo)`, 

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/9cdc8605-5d87-4279-850c-0e4001a290bd%40googlegroups.com.

--

Xuyang(Jason) Tao tao...@google.com Service Infrastructure Software Engineer

[RmR]

By padding it with two == it works. The python code is as under:

user_info = request.headers['X-Endpoint-API-UserInfo']
    #print(4, user_info)
    if(user_info):
        data = base64.b64decode(user_info + '==') #padded it with two =
        #print(5, data)

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/9cdc8605-5d87-4279-850c-0e4001a290bd%40googlegroups.com.

[Xuyang(Jason) Tao]

Hi RmR,

Good to know!

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/9cdc8605-5d87-4279-850c-0e4001a290bd%40googlegroups.com.

--

Xuyang(Jason) Tao tao...@google.com Service Infrastructure Software Engineer

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/425acedf-ebcd-4390-825f-0ddb9e9664ad%40googlegroups.com.

[Teju Nareddy]

You may find this useful to ensure your code works against all tokens: https://stackoverflow.com/a/9807138/4402434