Is it possible to create a protected API using Google Cloud Endpoints that doesn't require API key?

[Fedor Tyurin]

I'm securing my Google Cloud Endpoints API using Google ID token. Here is the corresponding part of my OpenAPI spec deployed to Google Cloud Endpoints:

      "securityDefinitions": {
        "google_id_token": {
          "authorizationUrl": "",
          "flow": "implicit",
          "type": "oauth2",
          "x-google-issuer": "https://accounts.google.com",
          "x-google-jwks_uri": "https://www.googleapis.com/oauth2/v1/certs",
          "x-google-audiences": "https://fedor-dot-my-api.appspot.com"
        }
      }
      "security": [
        {
          "google_id_token": []
        }
      ]

Still I get warning that my API is not protected unless I add API key method into my security definition. 

WARNING: my-v1-openapi.json: Operation 'get' in path '/my/v1/test/details': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.

My API is used only in "service-to-service" scenario (API caller uses App Engine default service account as described in https://cloud.google.com/endpoints/docs/service-to-service-auth), so I don't see real benefit of passing API key when caller is already identified by the service account. 

Is it possible to skip API key check after Google ID token verification? I'm using App Engine standard environment.

[D. T.]

Yes, it is possible. The warning is just a warning, not an error. You can operate without it.

Daniel Tang |

Software Engineer |

ta...@google.com |

Google Inc

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7bdd5428-e998-4f65-a31f-976d6eae53aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dan Ciruli]

Yes, this is an odd message. We will investigate whether a change is appropriate. 

Thanks-

DC

DC

On Aug 15, 2017 5:00 PM, "'Daniel Tang' via Google Cloud Endpoints" <google-clou...@googlegroups.com> wrote:

Yes, it is possible. The warning is just a warning, not an error. You can operate without it.

Daniel Tang |

Software Engineer |

ta...@google.com |

Google Inc

On Tue, Aug 15, 2017 at 4:49 PM, Fedor Tyurin <fedor....@gmail.com> wrote:

I'm securing my Google Cloud Endpoints API using Google ID token. Here is the corresponding part of my OpenAPI spec deployed to Google Cloud Endpoints:

      "securityDefinitions": {
        "google_id_token": {
          "authorizationUrl": "",
          "flow": "implicit",
          "type": "oauth2",
          "x-google-issuer": "https://accounts.google.com",
          "x-google-jwks_uri": "https://www.googleapis.com/oauth2/v1/certs",
          "x-google-audiences": "https://fedor-dot-my-api.appspot.com"
        }
      }
      "security": [
        {
          "google_id_token": []
        }
      ]

Still I get warning that my API is not protected unless I add API key method into my security definition. 

WARNING: my-v1-openapi.json: Operation 'get' in path '/my/v1/test/details': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.

My API is used only in "service-to-service" scenario (API caller uses App Engine default service account as described in https://cloud.google.com/endpoints/docs/service-to-service-auth), so I don't see real benefit of passing API key when caller is already identified by the service account. 

Is it possible to skip API key check after Google ID token verification? I'm using App Engine standard environment.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7bdd5428-e998-4f65-a31f-976d6eae53aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CABuQ5K_k1LpZVEia7J0oLEEDYjptccBZH8td%2B4oD4i%3D%3DRQ%3DdEw%40mail.gmail.com.

[Fedor Tyurin]

I wouldn't worry about the warnings, but my API allows anonymous requests (without any authentication header) unless I pass api_key_required=True to the @endpoints.api decorator in my python code. Could you point me to some working example that uses endpoints framework for authentication and could be deployed to App Engine standard environment?

On Wed, Aug 16, 2017 at 5:25 AM, Dan Ciruli <cir...@google.com> wrote:

Yes, this is an odd message. We will investigate whether a change is appropriate. 

Thanks-

DC

DC

[Dan Ciruli]

Can you be clear about what behavior you want to have? Do you want to require Google ID tokens? Or do you want to allow anonymous requests?

--

DC

[Fedor Tyurin]

Sorry, probably that wasn't clear from my previous mail. I want my API to be available only for certain service accounts. No public access should be allowed. It would be nice to be able to manage which service accounts have access to the API using IAM or other Google Cloud Platform UI, but configuring through swagger file is also fine.

[Fedor Tyurin]

Any comments on this? We are working on several micro services (all implement API using Endpoints framework and are deployed to App Engine Standard; some of them are services (modules) in our main project and some are separate projects). Now we need to effectively protect communication between them. We thought it would be easy to call a service authenticating with default service account of the caller project (we are able to generate Google ID token for default service account as described in https://cloud.google.com/endpoints/docs/service-to-service-auth#using_a_google_id_token). But it turned out to be a total mystery how to authenticate and authorise a call on the API side, so your help will be really appreciated.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7bdd5428-e998-4f65-a31f-976d6eae53aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CABuQ5K_k1LpZVEia7J0oLEEDYjptccBZH8td%2B4oD4i%3D%3DRQ%3DdEw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

DC

[Dan Ciruli]

Fedor --

That's the right configuration, but there is a lot of information on that page.

For how to configure your API, in the https://cloud.google.com/endpoints/docs/service-to-service-auth#configuring_your_api_to_support_authentication section there is a tab called Service Account-JWT.

It explains that you'll have to add a securityDefinition for each service account you want to authorize, like so:

securityDefinitions:
  google-signed-jwt:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "[YOUR-SERVICE-ACCOUNT-EMAIL]"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/[YOUR-SERVICE-ACCOUNT-EMAIL]"

And, also at the top level, you add a security section to require that jwt for all methods

security:
  - google-signed-jwt: []

Then, you can follow the directions for generating a JWT and signing it with the default service account.

I've added an authentication engineer and our technical writer on this thread. Limin, can you please verify my instructions? And Nancy, assuming this is all correct, we should put our heads together to figure out how to make this common use case a little more clear on the page.

Fedor -- let us know if that works out for you. Thanks!

DC

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7bdd5428-e998-4f65-a31f-976d6eae53aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CABuQ5K_k1LpZVEia7J0oLEEDYjptccBZH8td%2B4oD4i%3D%3DRQ%3DdEw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

DC

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/6d188729-44b1-423b-aee1-f39cf5bc263f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

DC