Authentication examples for Endpoints v2

1,001 views
Skip to first unread message

clement

unread,
May 18, 2016, 9:29:29 AM5/18/16
to Google Cloud Endpoints
Hi,

I managed to deploy an App Engine Java app with Cloud Endpoints v2, and I'm now trying to add authentication.

On the Authentication page, there are references to some examples (/examples/client/gitkit, /examples/client/google) but no link on them.
The only valid link (https://cloud.google.com/examples/nodejs/bookstore/bookstore.js) is dead (404).

So where should I start?

PS: the link API Authorization with Secure Tokens at the bottom of the main Gitkit doc is dead (404), as well as the reference for the API.

Sunny Gupta

unread,
May 18, 2016, 2:13:34 PM5/18/16
to Google Cloud Endpoints
We're checking on this now, and will post back ASAP.

clement

unread,
May 20, 2016, 6:36:26 AM5/20/16
to Google Cloud Endpoints
Hi Sunny,

Anything new on this topic?

Rohit Nigam

unread,
May 20, 2016, 12:46:04 PM5/20/16
to clement, Google Cloud Endpoints
I guess please check this link.

Rohit

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/09e85b79-593e-4e0d-a740-56267946fbb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sunny Gupta

unread,
May 20, 2016, 1:09:32 PM5/20/16
to Google Cloud Endpoints
Hi,

The fix for the documentation is underway and should be done either by EOD today or early next week. Sorry for the inconvenience.

-Sunny

clement

unread,
May 23, 2016, 5:34:24 AM5/23/16
to Google Cloud Endpoints
Thanks Sunny, looks like the update went live during the week-end. 
However, I'm still stuck with authentication, and I can't find any good documentation about how to use JWT with Swagger (except from this issue)

I tried this:
- Adding a definition to require an Authorization header => I'm getting a warning at deploy-time about only name=key/in=query apiKey security definition being authorized
"securityDefinitions": {
  "jwt": {
    "type": "apiKey",
    "name": "Authorization",
    "in": "header"
  }
},
"security": [
  {
    "jwt": []
  }
]
- Passing the id_token generated by a Google OAuth2 token request as the "Authorization" header in my client requests => I don't get a X-Endpoint-API-UserInfo in the request forwarded to the server


So:
- What is the expected definition in my swagger file for authentication with JWT token to work?
- How should the JWT be passed in the client request?

A working example would be really welcome here.

Sunny Gupta

unread,
May 23, 2016, 4:37:21 PM5/23/16
to Google Cloud Endpoints
Hi,

We are working on getting the documentation and samples available. We don't have an ETA yet. To unblock you, here are the working samples that you can use to enable the scenario you want:


Hope that helps.

clement

unread,
May 23, 2016, 5:35:34 PM5/23/16
to Google Cloud Endpoints
Thanks Sunny.

I don't have access to these pages with my account c...@altirnao.com (the one authorized for the alpha), I'm getting a 403.

Sunny Gupta

unread,
May 23, 2016, 5:37:37 PM5/23/16
to Google Cloud Endpoints, Martin Maly

Martin Maly

unread,
May 23, 2016, 8:43:44 PM5/23/16
to clement, Google Cloud Endpoints
Hello,

the access issue should be resolved now. Sorry about the delay.

Martin

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/387b5bab-9404-43fd-9b97-13145cf99c98%40googlegroups.com.

clement

unread,
May 30, 2016, 10:25:40 AM5/30/16
to Google Cloud Endpoints, cle...@altirnao.com
Thanks a lot, these examples are a big step forward!

Sadly, it still does not work as expected: I'm always getting this error when submitting a request with a valid JWT token:
{
  "error": {
    "code": 401,
    "status": 16,
    "message": "JWT validation failed: Issuer not allowed",
    "details": []
  }
}

I checked the JWT token (both with https://jwt.io/ and https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<mytoken>), it is valid and issued to a client id listed in my swagger file under x-security/google_id_token/audiences.
I also checked the private API is enabled for the project that owns the client id used to issue the token.
I tried to provide an empty list of audiences, and tried to get a token in different ways (Google Sign-In, Oauth2 Playground), still no luck.
There's no details in the Cloud Logging console about the reason why the request is rejected.

Is there something special with the client id I should use? How can I troubleshoot this?

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

Trey Kinkead

unread,
May 30, 2016, 11:57:45 AM5/30/16
to clement, Google Cloud Endpoints

Do you have the appropriate issuer listed in your security definition? This is the entity that mints the token and needs to provide the public key certificate for validating the token.

 

Here’s an excerpt of the swagger.json that I used some time ago:

 

  "securityDefinitions": {

    "google_id_token": {

      "authorizationUrl": "",

      "flow": "implicit",

      "type": "oauth2",

      "x-issuer": "accounts.google.com",

      "x-jwks_uri": "https://www.googleapis.com/oauth2/v1/certs"

    }

  },

  "x-security" : [

    {

      "google_id_token": {

        "audiences": [

          "370695937422-rpbjb33n14p72l97te50vuop4rv6d2t7.apps.googleusercontent.com",

          "370695937422-k1ino0oimf5pgfbim957era1o1obocdf.apps.googleusercontent.com",

          "841077041629.apps.googleusercontent.com",

          "370695937422-8dv5ib343a5mkd4us1ossf358pfr3cl0.apps.googleusercontent.com"

        ]

      }

    }

  ]

 

If this doesn’t resolve it, perhaps post your swagger.json and we can take a look.

 

Cheers,

/trey

 

 

From: google-clou...@googlegroups.com [mailto:google-clou...@googlegroups.com] On Behalf Of clement


Sent: Monday, May 30, 2016 10:26 AM
To: Google Cloud Endpoints

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/add7fd81-c656-4d45-aeb8-168d496a78aa%40googlegroups.com.

clement

unread,
May 31, 2016, 10:09:20 AM5/31/16
to Google Cloud Endpoints, cle...@altirnao.com
Hi Trey,

My Swagger spec looks like yours. I also have key-based auth, but I tried without it and it does not work either.

Here is how the security part looks like:

"schemes": [
  "https"
],
"securityDefinitions": {
  "apiKey": {
    "type": "apiKey",
    "name": "key",
    "in": "query"
  },

  "google_id_token": {
    "authorizationUrl": "",
    "flow": "implicit",
    "type": "oauth2",

Any idea?

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

Trey Kinkead

unread,
May 31, 2016, 10:29:51 AM5/31/16
to clement, Google Cloud Endpoints

Hi Clement,

 

Did you try x-issuer as “accounts.google.com” (no https:// prefix?) I suggest you decode your JWT (again) with the debugger (https://jwt.io/) to ensure that the issuer matches exactly. If does, I suppose your next step would be to share both the JWT and swagger for others to take a look at.

 

Cheers,

/trey

 

From: google-clou...@googlegroups.com [mailto:google-clou...@googlegroups.com] On Behalf Of clement
Sent: Tuesday, May 31, 2016 10:09 AM
To: Google Cloud Endpoints
Cc: cle...@altirnao.com
Subject: Re: Authentication examples for Endpoints v2

 

Hi Trey,

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/8865b29a-ae5d-4e55-b3a8-7a503ca989ea%40googlegroups.com.

clement

unread,
May 31, 2016, 10:47:36 AM5/31/16
to Google Cloud Endpoints, cle...@altirnao.com
Nice catch, I did not even see it when comparing the two definitions ... Works perfectly, thanks !!

So it means the swagger files in the example repo are wrong, they have the https:// prefix on the issuer.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

 

"This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages