JWT token verification failure with cloud endpoint

[Seun Ore]

Hi guys,I have a cloud endpoint service deployed on google cloud. I can access the backend API with API keys. However, I have requirement to allow external service or user to call the backend API via JWT token. something like:

curl --request POST --header "Authorization: Bearer ${TOKEN}" "http://35.189.80.10:5001/app" .

I set up a token from jwt.io website and with this token, I got an error:   {"code":401,"message":"Jwt verification fails"}

{

 "aud": "https://api.endpoints.project-id.cloud.goog",
"iss": "endpo...@project-id.iam.gserviceaccount.com",
"sub": "endpo...@project-id.iam.gserviceaccount.com",
"name": "seun ore",
"iat": 202101032202,
"exp": 202102032202
}

How can I solve this error?
How can I possibly build my own private jwt generation and validation so that I don't have to talk to backend or frontend developers to modify their codes? I am DevOps enginner.

The API is Python app deployed on GKE

[Wayne Zhang]

How did you specify your securityDefinition and requirements in the Openapi spec.?  

The error means the verification fails.  Cloud endpoints is using the public key fetched from `x-google-jwks_uri` to verify JWT signature.

You can post the JWKS (public key) to jwt.io website to verify it yourself.

Thanks

-Wayne

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/5d3a6347-958e-4c3d-986e-301877246a60n%40googlegroups.com.

[Seun Ore]

This is how I defined the security requirements, security object and paths:

paths:
  "/app":
    get:
      description: "Echo back a given message."
      operationId: "get"
      produces:
      - "application/json"
      responses:
        200:
          description: "ms-api"
          schema:
            $ref: "#/definitions/echoMessage"
      parameters:
      - description: "Message to echo"
        in: body
        name: message
        required: true
        schema:
          $ref: "#/definitions/echoMessage"
      security:
       - service-to-service: []
       
       
   service-to-service:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "endpo...@project-id.iam.gserviceaccount.com"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/endpo...@project-id.iam.gserviceaccount.com"
    x-google-audiences: "https://api.endpoints.project-id.cloud.goog"

You can post the JWKS (public key) to jwt.io website to verify it yourself.

I am not very sure how to go about this statement above



Reply to all

Reply to the author

Forward

[Wayne Zhang]

You can send me your JWT token privately,  I can verify it to see if its signature is valid. If no, there is a bug in your code generating JWT.   If yes,  the bug is in ESP.  

Which ESP version do you have?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/93df83e1-5d49-49b9-9488-0445c9e32a69n%40googlegroups.com.