Audience not allowed

1,751 views
Skip to first unread message

ma...@stakable.com

unread,
Nov 8, 2017, 4:35:18 AM11/8/17
to Google Cloud Endpoints
I'm running into the following when attempting to authenticate with firebase:

{
  "code": 7,
  "message": "JWT validation failed: Audience not allowed",
  "details": [
    {
      "stackEntries": [],
      "detail": "auth"
    }
  ]
}

openapi.json:

{
    "swagger": "2.0",
    "info": {
        "title": "My API",
        "version": "v1.0.0"
    },
    "host": "my-api.appspot.com",
    "consumes": [
        "application/json"
    ],
    "produces": [
        "application/json"
    ],
    "schemes": [
        "https"
    ],
    "securityDefinitions": {
        "api_key": {
            "type": "apiKey",
            "name": "api_key",
            "in": "header"
        },
        "firebase": {
            "authorizationUrl": "",
            "flow": "implicit",
            "type": "oauth2",
            "x-google-issuer": "https://securetoken.google.com/my-api",
            "x-google-audiences:": "my-api.appspot.com"
        }
    },
    "security": [{
        "firebase": []
    }],
    "basePath": "/1",
    "paths": {
        "/{userParam}/user/object": {
            "get": {
                "summary": "Object Definition",
                "description": "",
                "operationId": "cfd8dab4-7245-441a-8324-fc0466ed2af4",
                "parameters": [{
                        "type": "string",
                        "name": "userParam",
                        "required": true,
                        "in": "path"
                    },
                    {
                        "type": "string",
                        "default": "user",
                        "name": "dataClass",
                        "required": false,
                        "in": "header"
                    },
                    {
                        "type": "string",
                        "default": "UserAccounts",
                        "name": "keys",
                        "required": false,
                        "in": "query"
                    },
                    {
                        "type": "string",
                        "default": "true",
                        "name": "showDefaults",
                        "required": false,
                        "in": "query"
                    }
                ],
                "responses": {
                    "default": {
                        "description": ""
                    }
                }
            }
        }
    },
    "tags": []
}

JWT returned from firebase and passed in Authorisation header to endpoint:

{
  "name": "xxx",
  "picture": "xxx",
  "aud": "my-api",
  "auth_time": 1510076147,
  "user_id": "xxx",
  "sub": "xxx",
  "iat": 1510131725,
  "exp": 1510135325,
  "email": "xxx",
  "email_verified": true,
  "firebase": {
    "identities": {
      "google.com": [
        "xxx"
      ],
      "email": [
        "xxx"
      ]
    },
    "sign_in_provider": "google.com"
  }
}

api.yaml

runtime: php
env: flex

runtime_config:
  document_root: public
  nginx_conf_include: api.nginx-app.conf

[...]

endpoints_api_service:
  config_id: 2017-11-08r1

My understanding was that "aud": "my-api" is an exact match here and x-google-audiences isn't even required. Out or in requests still fail. Can anyone point me in the right direction?

Thanks

limi...@google.com

unread,
Nov 8, 2017, 8:26:53 PM11/8/17
to Google Cloud Endpoints
Hi, the "aud" claim in JWT is "my-api", but the auth requirements in openapi says the audience should be "my-api.appspot.com". They do not match. Hence, you see the error. To fix the problem, you need to change the "aud" claim in JWT to be "my-api.appspot.com". 

Reply all
Reply to author
Forward
0 new messages