Regards,
James Krimm
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Regards,
James Krimm
I believe you're right that it shouldn't matter that you're using Endpoints Frameworks vs ESP --- from a client's perspective that should be indistinguishable.Have you tried the sample instructions for making calls with a Google ID Token from here? (full example on GitHub, assuming you're using a service account key file)If you can get an access token that way, I believe the way to combine that with the Python API Client Library is by using AccessTokenCredentials with the access token you've retrieved from above, rather than a credentials object from OAuth2WebServerFlow.
On Tue, Aug 7, 2018 at 11:11 AM <jkr...@appirio.com> wrote:
Hello,--Is it currently possible to make an authorized call with a Google ID Token to a Cloud Endpoints API with the Python API Client library?I am running Cloud Endpoints on App Engine Standard in Python. This uses the Cloud Endpoints Framework instead of ESP. I do not think this should have any affect but calling this out in case it does. Furthermore, I am authorizes requests with a service account not a user.Google's current documentation gives an example with user credential and not a Google ID Token.If it is possible to send a Google ID Token with a request built with the Python API Client library, can you provide an example?Regards,
James Krimm
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
"error": {
"code": 401,
"errors": [
{
"domain": "global",
"message": "",
"reason": "required"
}
],
"message": ""
}
}Checking my token at jwt.io I received:
"aud": "https://apiserverprojectid.appspot.com",
"azp": "clientp...@appspot.gserviceaccount.com",
"sub": "110920313756597865336","email": "clientp...@appspot.gserviceaccount.com",
"email_verified": true,
"exp": 1534299670,
"iss": "https://accounts.google.com",
"iat": 1534296070
}
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fb76bc-7636-4a95-928b-96351f5c6c02%40googlegroups.com.
> And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
I think we might need a big warning on the OpenAPI docs that says "nothing in here applies to Endpoints Frameworks" :) Since you have an Endpoints Frameworks app, the API annotations are the only part that matters here in terms of authentication.That said, I'm not seeing much that's obviously wrong. If you're willing to privately send me your project ID / URL you've deployed this app on, we can try making auth'd requests directly to it and look at the logs.
On Tue, Aug 14, 2018 at 7:44 PM <aoinami.1...@gmail.com> wrote:
Thank you, Andrew!Changes only includes my default service account mail: CLIENT_PRJ_ID@appspot.gserviceaccount.com and API server HOST = SERVER_PRJ_ID.appspot.comSERVICE_ACCOUNT_EMAIL = "CLIENT_PRJ_ID@appspot.gserviceaccount.com"
audiences={'serviceAccount': 'https://www.googleapis.com/oauth2/v4/token'})
And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
..
"securityDefinitions": {"api_key": {"in": "query","name": "key","type": "apiKey"},"google_id_token": {"authorizationUrl": "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com",
"x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token","x-google-audiences": "www.googleapis.com/oauth2/v4/token"},"google_id_token-c0b0c9d9": {"authorizationUrl": "","flow": "implicit","type": "oauth2","x-google-audiences": "www.googleapis.com/oauth2/v4/token","x-google-issuer": "https://accounts.google.com","x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token"},"gae_default_service_account": {"authorizationUrl" : "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com","x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/CLIENT_PRJ_ID@appspot.gserviceaccount.com",
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
Thanks Andrew!"I think we might need a big warning on the OpenAPI docs that says "nothing in here applies to Endpoints Frameworks" :) " yes, I think I started to mix OpenAPI and Endpoints docs :)So, does this mean that frameworks v2 library will generate appropriate Open API docs and there will be no need to add some additional sections manually?my URL of client making call to API is https://api-ml-213516.appspot.com/API backend GAE Std URL is https://apitest-ml-server.appspot.comThank youMarina
Sincerely Yours,KUZMENKO MARINA
On Wed, Aug 15, 2018 at 3:12 PM, Andrew Gunsch <gun...@google.com> wrote:
> And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
I think we might need a big warning on the OpenAPI docs that says "nothing in here applies to Endpoints Frameworks" :) Since you have an Endpoints Frameworks app, the API annotations are the only part that matters here in terms of authentication.That said, I'm not seeing much that's obviously wrong. If you're willing to privately send me your project ID / URL you've deployed this app on, we can try making auth'd requests directly to it and look at the logs.
On Tue, Aug 14, 2018 at 7:44 PM <aoinami.1...@gmail.com> wrote:
Thank you, Andrew!Changes only includes my default service account mail: CLIENT...@appspot.gserviceaccount.com and API server HOST = SERVER_PRJ_ID.appspot.comSERVICE_ACCOUNT_EMAIL = "CLIENT...@appspot.gserviceaccount.com"
audiences={'serviceAccount': 'https://www.googleapis.com/oauth2/v4/token'})
And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
..
"securityDefinitions": {"api_key": {"in": "query","name": "key","type": "apiKey"},"google_id_token": {"authorizationUrl": "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT...@appspot.gserviceaccount.com",
"x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token","x-google-audiences": "www.googleapis.com/oauth2/v4/token"},"google_id_token-c0b0c9d9": {"authorizationUrl": "","flow": "implicit","type": "oauth2","x-google-audiences": "www.googleapis.com/oauth2/v4/token","x-google-issuer": "https://accounts.google.com","x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token"},"gae_default_service_account": {"authorizationUrl" : "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT...@appspot.gserviceaccount.com","x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/CLIENT...@appspot.gserviceaccount.com",
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fb76bc-7636-4a95-928b-96351f5c6c02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CAGFyOiGHa8akSRch6kiG-az8ARgjjHgLCa2uFO9%3D1KmX6Ucpcw%40mail.gmail.com.
python-docs-samples/appengine/standard/endpoints-frameworks-v2/echo/lib/endpoints/openapi_generator.py", line 779, in __security_descriptor
raise TypeError('Missing issuer {}'.format(issuer))
TypeError: Missing issuer google_id_tokenI googled and found this answer
https://stackoverflow.com/questions/51487510/missing-issuer-google-id-token-when-generating-openapi-doc-for-cloud-endpoints
Error is the same "Missing issuer google_id_token" even if I pass a dict as audiences:
@endpoints.api(
name='echo', version='v1',
issuers={'ServiceAccount': endpoints.Issuer(
'api-ml...@appspot.gserviceaccount.com',
'https://www.googleapis.com/robot/v1/metadata/x509/api-ml...@appspot.gserviceaccount.com')},
audiences={'ServiceAccount': ['https://apitest-ml-server.appspot.com']}
)
does it mean that only google id token could be used to authenticate calls to endpoints in std environment? in my understanding in case of flexible env ESP does auth part instead of framework lib and yaml is not generated from parsing API class?
Thanks,
Marina
Pardon my confusion, but if you're trying to use Google ID tokens with service accounts, why does your @api annotation use a service account issuer?
On Thu, Aug 16, 2018 at 10:23 AM Marina Lanyugina <aoinami.1...@gmail.com> wrote:
Thanks Andrew!"I think we might need a big warning on the OpenAPI docs that says "nothing in here applies to Endpoints Frameworks" :) " yes, I think I started to mix OpenAPI and Endpoints docs :)So, does this mean that frameworks v2 library will generate appropriate Open API docs and there will be no need to add some additional sections manually?my URL of client making call to API is https://api-ml-213516.appspot.com/API backend GAE Std URL is https://apitest-ml-server.appspot.comThank youMarina
Sincerely Yours,KUZMENKO MARINA
On Wed, Aug 15, 2018 at 3:12 PM, Andrew Gunsch <gun...@google.com> wrote:
> And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
I think we might need a big warning on the OpenAPI docs that says "nothing in here applies to Endpoints Frameworks" :) Since you have an Endpoints Frameworks app, the API annotations are the only part that matters here in terms of authentication.That said, I'm not seeing much that's obviously wrong. If you're willing to privately send me your project ID / URL you've deployed this app on, we can try making auth'd requests directly to it and look at the logs.
On Tue, Aug 14, 2018 at 7:44 PM <aoinami.1...@gmail.com> wrote:
Thank you, Andrew!Changes only includes my default service account mail: CLIENT_PRJ_ID@appspot.gserviceaccount.com and API server HOST = SERVER_PRJ_ID.appspot.comSERVICE_ACCOUNT_EMAIL = "CLIENT_PRJ_ID@appspot.gserviceaccount.com"
audiences={'serviceAccount': 'https://www.googleapis.com/oauth2/v4/token'})
And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
..
"securityDefinitions": {"api_key": {"in": "query","name": "key","type": "apiKey"},"google_id_token": {"authorizationUrl": "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com",
"x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token","x-google-audiences": "www.googleapis.com/oauth2/v4/token"},"google_id_token-c0b0c9d9": {"authorizationUrl": "","flow": "implicit","type": "oauth2","x-google-audiences": "www.googleapis.com/oauth2/v4/token","x-google-issuer": "https://accounts.google.com","x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token"},"gae_default_service_account": {"authorizationUrl" : "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com","x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/CLIENT_PRJ_ID@appspot.gserviceaccount.com",
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fb76bc-7636-4a95-928b-96351f5c6c02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
Yes, Daniel, actually I realized that I generated echov1openapi.json only once at the beginning with @endpoints.api(name='echo', version='v1')After class decorated with 'ServiceAccount' issuer, I didn't re-generated. Thank you for pointing me out to my miss.I tried to generated again with decoration, but now unfortunately encounters this error:python-docs-samples/appengine/standard/endpoints-frameworks-v2/echo/lib/endpoints/openapi_generator.py", line 779, in __security_descriptor raise TypeError('Missing issuer {}'.format(issuer)) TypeError: Missing issuer google_id_tokenI googled and found this answerhttps://stackoverflow.com/questions/51487510/missing-issuer-google-id-token-when-generating-openapi-doc-for-cloud-endpointsError is the same "Missing issuer google_id_token" even if I pass a dict as audiences:@endpoints.api( name='echo', version='v1', issuers={'ServiceAccount': endpoints.Issuer( 'api-ml...@appspot.gserviceaccount.com', 'https://www.googleapis.com/robot/v1/metadata/x509/api-ml...@appspot.gserviceaccount.com')}, audiences={'ServiceAccount': ['https://apitest-ml-server.appspot.com']} )does it mean that only google id token could be used to authenticate calls to endpoints in std environment?
in my understanding in case of flexible env ESP does auth part instead of framework lib and yaml is not generated from parsing API class?
Thanks,MarinaSincerely Yours,KUZMENKO MARINA
Sincerely Yours,KUZMENKO MARINA
Thank you, Andrew!Changes only includes my default service account mail: CLIENT...@appspot.gserviceaccount.com and API server HOST = SERVER_PRJ_ID.appspot.comSERVICE_ACCOUNT_EMAIL = "CLIENT...@appspot.gserviceaccount.com"
audiences={'serviceAccount': 'https://www.googleapis.com/oauth2/v4/token'})
And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
..
"securityDefinitions": {"api_key": {"in": "query","name": "key","type": "apiKey"},"google_id_token": {"authorizationUrl": "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT...@appspot.gserviceaccount.com",
"x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token","x-google-audiences": "www.googleapis.com/oauth2/v4/token"},"google_id_token-c0b0c9d9": {"authorizationUrl": "","flow": "implicit","type": "oauth2","x-google-audiences": "www.googleapis.com/oauth2/v4/token","x-google-issuer": "https://accounts.google.com","x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token"},"gae_default_service_account": {"authorizationUrl" : "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT...@appspot.gserviceaccount.com","x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/CLIENT...@appspot.gserviceaccount.com",
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fb76bc-7636-4a95-928b-96351f5c6c02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
It's possible to pass either a dict or a list (or tuple) as the audiences value. Passing a list/tuple is treated by the openapi generation code as the same thing as passing a dict with the key 'google_id_token'.That is, audiences=['foo', 'bar'] is treated as audiences={'google_id_token': ['foo', 'bar']} when it comes to generating the openapi spec. Every key in the audiences dict must correspond to a key in the issuers dict.However, the framework does not currently allow using a dict for audiences to actually work for Google ID token authentication. That is, the dict must be present in order to generate the openapi yaml, but it must be absent when actually running the app. I recognize this is not ideal and I'm looking for the best way to fix it.
On Fri, Aug 17, 2018 at 10:59 AM Andrew Gunsch <gun...@google.com> wrote:
On Thu, Aug 16, 2018 at 5:58 PM Marina Lanyugina <aoinami.1...@gmail.com> wrote:
Yes, Daniel, actually I realized that I generated echov1openapi.json only once at the beginning with @endpoints.api(name='echo', version='v1')After class decorated with 'ServiceAccount' issuer, I didn't re-generated. Thank you for pointing me out to my miss.I tried to generated again with decoration, but now unfortunately encounters this error:
python-docs-samples/appengine/standard/endpoints-frameworks-v2/echo/lib/endpoints/openapi_generator.py", line 779, in __security_descriptor raise TypeError('Missing issuer {}'.format(issuer)) TypeError: Missing issuer google_id_tokenI googled and found this answerhttps://stackoverflow.com/questions/51487510/missing-issuer-google-id-token-when-generating-openapi-doc-for-cloud-endpointsError is the same "Missing issuer google_id_token" even if I pass a dict as audiences:
@endpoints.api( name='echo', version='v1', issuers={'ServiceAccount': endpoints.Issuer( 'api-ml-213516@appspot.gserviceaccount.com', 'https://www.googleapis.com/robot/v1/metadata/x509/api-ml-213516@appspot.gserviceaccount.com')}, audiences={'ServiceAccount': ['https://apitest-ml-server.appspot.com']} )
Thanks,MarinaSincerely Yours,KUZMENKO MARINA
Sincerely Yours,KUZMENKO MARINA
Thank you, Andrew!Changes only includes my default service account mail: CLIENT_PRJ_ID@appspot.gserviceaccount.com and API server HOST = SERVER_PRJ_ID.appspot.comSERVICE_ACCOUNT_EMAIL = "CLIENT_PRJ_ID@appspot.gserviceaccount.com"
audiences={'serviceAccount': 'https://www.googleapis.com/oauth2/v4/token'})
And also set security definitions in Open API doc as following (I added gae_default_service_account because first attempt was to use https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/endpoints/getting-started/clients/service_to_service_gae_default as I am usind service default account of Client GAE app to authentication, but it was also 401 error and documentation saying about google id token https://cloud.google.com/endpoints/docs/openapi/service-account-authentication so I switched to use google id token for authentication)
..
"securityDefinitions": {"api_key": {"in": "query","name": "key","type": "apiKey"},"google_id_token": {"authorizationUrl": "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com",
"x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token","x-google-audiences": "www.googleapis.com/oauth2/v4/token"},"google_id_token-c0b0c9d9": {"authorizationUrl": "","flow": "implicit","type": "oauth2","x-google-audiences": "www.googleapis.com/oauth2/v4/token","x-google-issuer": "https://accounts.google.com","x-google-jwks_uri": "www.googleapis.com/oauth2/v4/token"},"gae_default_service_account": {"authorizationUrl" : "","flow": "implicit","type": "oauth2",
"x-google-issuer": "CLIENT_PRJ_ID@appspot.gserviceaccount.com","x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/CLIENT_PRJ_ID@appspot.gserviceaccount.com",
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANMRvhk%2BJJ71dR-dts683Koew2G6Vq%2Bk0e8dBBYnY9PKMc58HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/c9477cfd-bfc1-4114-88e3-d24751ec4db6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7daf49ab-78b7-4609-8aee-e32450a50d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/08fb76bc-7636-4a95-928b-96351f5c6c02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.