Endpoints for App Engine standard environment with ESPv2 || Firewall auth issue
738 views
Skip to first unread message
Ankit Dwivedi
Nov 19, 2020, 4:14:46 PM11/19/20
to Google Cloud Endpoints
Hi ,
I am new to the GCP and trying to implement Endpoints for App Engine standard environment with ESPv2. everything is going well until I am not starting using Firebase auth or oauth for security, facing issue - 401 b'{"message":"Jwt issuer is not configured","code":401}\n'.
I am attaching my yaml file and client python file , please help me to trace and resolve this error.
I am following the documentation -
Please help to resolve.
Ankit Dwivedi
Nov 19, 2020, 4:17:22 PM11/19/20
to Google Cloud Endpoints
Yaml -
security:
- firebase: []
securityDefinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "https://securetoken.google.com/deyes-295406"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/secur...@system.gserviceaccount.com"
x-google-audiences: "deyes-295406"
Python -
keyfile_jwt = generate_jwt("C:\\Users\\admin\\Downloads\\python-docs-samples-master\\appengine\\standard_python3\\hello_world\\key.json",
3600)
print(keyfile_jwt)
make_jwt_request(keyfile_jwt, "https://deyes-dq5rvo4msq-el.a.run.app")
Kindly help me to understand how to resolve.
Wayne Zhang
Nov 19, 2020, 5:44:36 PM11/19/20
to Ankit Dwivedi, Google Cloud Endpoints
The error implies that "iss" in the JWT token is not specified in your endpoint service config. In your config, it is specified in the "x-google-issuer" field which is "https://securetoken.google.com/deyes-295406".
I am not sure what "iss" field is in your JWT. You can paste your JWT to jwt.io to check its payload.
-Wayne
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/23b70999-2d43-406f-b353-3f5e6fb77861n%40googlegroups.com.
Ankit Dwivedi
Nov 19, 2020, 11:37:27 PM11/19/20
to Google Cloud Endpoints
Hi Sorry but really I am very confused, I tried a lot of options but did't get success as of now.
![]()
![]()
.yaml file -
swagger: '2.0'
info:
title: Cloud Endpoints + App Engine
description: Sample API on Cloud Endpoints with an App Engine backend
version: 1.0.0
schemes:
- https
produces:
- application/json
x-google-backend:
protocol: h2
paths:
/:
get:
summary: Greet a user
operationId: hello
responses:
'200':
description: A successful response
schema:
type: string
security:
- firebase: []
securityDefinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "https://securetoken.google.com/deyes-295406"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/secur...@system.gserviceaccount.com"
x-google-audiences: "deyes-295406"
Python client to generate and access token and api -
#!/usr/bin/env python
# Copyright 2016 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Example of calling a Google Cloud Endpoint API with a JWT signed by
a Google API Service Account."""
import argparse
import time
import google.auth.crypt
import google.auth.jwt
import requests
# [START endpoints_generate_jwt_sa]
def generate_jwt(sa_keyfile,
sa_email,
audience,
expiry_length):
"""Generates a signed JSON Web Token using a Google API Service Account."""
now = int(time.time())
# build payload
payload = {
'iat': now,
# expires after 'expiry_length' seconds.
"exp": now + expiry_length,
# iss must match 'issuer' in the security configuration in your
# swagger spec (e.g. service account email). It can be any string.
'iss': sa_email,
# aud must be either your Endpoints service name, or match the value
# specified as the 'x-google-audience' in the OpenAPI document.
'aud': audience,
# sub and email should match the service account's email address
'sub': sa_email,
'email': sa_email
}
# sign with keyfile
signer = google.auth.crypt.RSASigner.from_service_account_file(sa_keyfile)
jwt = google.auth.jwt.encode(signer, payload)
return jwt
# [END endpoints_generate_jwt_sa]
# [START endpoints_jwt_request]
def make_jwt_request(signed_jwt, url):
"""Makes an authorized request to the endpoint"""
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt.decode('utf-8')),
'content-type': 'application/json'
}
response = requests.get(url, headers=headers)
print(response.status_code, response.content)
response.raise_for_status()
# [END endpoints_jwt_request]
if __name__ == '__main__':
keyfile_jwt = generate_jwt("C:\\Users\\admin\\Downloads\\python-docs-samples-master\\appengine\\standard_python3\\hello_world\\pkey.json",
"deyes-295406",
Error - 401 b'{"message":"Jwt issuer is not configured","code":401}\n'
and when I am converting SA Email from firebase-ad...@deyes-295406.iam.gserviceaccount.com to https://securetoken.google.com/deyes-295406
Error is - 401 b'{"message":"Jwks doesn\'t have key to match kid or alg from Jwt","code":401}\
Please advise what wrong I am doing.
Wayne Zhang
Nov 20, 2020, 12:46:58 AM11/20/20
to Ankit Dwivedi, Google Cloud Endpoints
It seems that you want to use a service account to generate JWT tokens. If so, your endpoint service config is wrong. You should follow this instruction.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/19d98324-a710-487f-a41b-b0df7afc605cn%40googlegroups.com.
Ankit Dwivedi
Nov 20, 2020, 4:18:06 AM11/20/20
to Google Cloud Endpoints
Thanks The Issue has been resolved.
Ankit Dwivedi
Nov 20, 2020, 4:23:52 AM11/20/20
to Google Cloud Endpoints
I am facing issue when trying to hit API from developer portal
I have done a setup of Endpoints for App Engine standard environment with ESPv2.
everything is working fine. but when trying to hit api from developer portal I am facing issue.
{
"code": 401,
"message": "Jwks doesn't have key to match kid or alg from Jwt"
}
I have given details is settings.
Google API key - XXXXXXXXXXx
Firebase auth domain - deyes-295406.firebaseapp.com
Ankit Dwivedi
Nov 20, 2020, 9:26:22 AM11/20/20
to Google Cloud Endpoints
Hi Sir,
This is the issue I am facing while testing api from endpoint Developer portal -
"message": "Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections",
Can you please help me into this.
if I am hitting api from outside its working fine.
Ankit Dwivedi
Nov 20, 2020, 9:31:38 AM11/20/20
to Google Cloud Endpoints
if selecting ID Token error is - "message": "Jwks doesn't have key to match kid or alg from Jwt"
if selecting Access Token -
"message": "Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections",
Wayne Zhang
Nov 20, 2020, 12:49:06 PM11/20/20
to Ankit Dwivedi, Alan Peters, Google Cloud Endpoints
This is the issue for our Developer Portal. How did you specify JWT in the portal? Does the portal generate its own JWT?
I added alanpeters@ here to help.
-Wayne
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/14bc6846-f25b-4c61-a9bd-d05220bc06ebn%40googlegroups.com.
Ankit Dwivedi
Nov 20, 2020, 11:15:56 PM11/20/20
to Google Cloud Endpoints
Hi ,
I am using firebase auth for my api and defined like below in openapi-appengine.yaml.
security:
- firebase: []
securityDefinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "https://securetoken.google.com/deyes-295406"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-61fuh%40deyes-295406.iam.gserviceaccount.com"
x-google-audiences: "deyes-295406"
and when using python client to hit api that details are given below-
keyfile_jwt = generate_jwt("C:\\Users\\admin\\Downloads\\python-docs-samples-master\\appengine\\standard_python3\\hello_world\\pkey.json",
"deyes-295406",
3600)
print(keyfile_jwt)
make_jwt_request(keyfile_jwt, "https://deyes-dq5rvo4msq-el.a.run.app")
till to this point everything is running fine and I am able to get response when hitting my api.
But when I am checking in developer portal where my configuration is given below, facing issue.
api key - *************************
firebase auth domain - deyes-295406.firebaseapp.com
token Type - id token
error - {
"message": "Jwks doesn't have key to match kid or alg from Jwt",
"code": 401
}
token type - access token
error - {
"code": 401,
"message": "Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections"
}
not able to understand why this issue is coming because I am trying to follow the documentation only but definitely something wrong I am dong.
Kindly help me to resolve this issue, I am stuck with this from a long time.
Ankit Dwivedi
Nov 21, 2020, 1:34:30 AM11/21/20
to Google Cloud Endpoints
Hi,
Any solution on above issue, please advise.
Reply all
Reply to author
Forward
0 new messages