Endpoints Security with service account

596 views

Skip to first unread message

molte...@gmail.com

unread,

Apr 7, 2017, 10:18:23 AM4/7/17

to Google Cloud Endpoints

Hi all,

I have a problem while trying to secure my end points with a service account. when i try to hit the endpoint it say that the issuer is not allowed

OPENAPI.YAML

swagger: '2.0'

info:
  title: EndPoints Service Account
  description: EndPoints Service Account
  version: "1.0.0"
host: epsacc.endpoints.fatty-acid.cloud.goog

basePath: /
consumes:
- application/json
produces:
- application/json
schemes:
- https

paths:
  /svcstatus:
    get:
      summary: Check if the service is up and running
      operationId: service-status
      produces:
      - text/plain
      responses:
        200:
          description: Service Status
      security:
      - security_svc: []
securityDefinitions:
  # This section configures authentication using a service account
  # to sign a json web token. This is mostly used for server-to-server
  # communication.
  security_svc:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
    x-google-issuer: "my-servi...@fatty-acid.iam.gserviceaccount.com"
    # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/my-serviceaccount@fatty-acid.iam.gserviceaccount.com"

SERVER.TS

// Import Express
import * as express from 'express';
import * as bodyParser from 'body-parser';
import * as cors from 'cors';

// Express settings
var app = express();
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use(cors());

app.get('/svcstatus', (req, res) => {res.send("Running Called by Service Account");});

var server = app.listen(process.env.PORT || 9011, () => {
    var host = server.address().address
    var port = server.address().port
    console.log("Server is Listening at http://%s:%s", host, port)
});

APP.YAML

runtime: nodejs
env: flex
service: epsacc

skip_files:
- ^(.*/)?.*/node_modules/.*$

endpoints_api_service:
  name: epsacc.endpoints.fatty-acid.cloud.goog
  config_id: 2017-04-07r4

CLIENT.PY

import time
import urllib
import httplib
import requests
import yaml
import json
from oauth2client.service_account import ServiceAccountCredentials
import oauth2client

credentials = ServiceAccountCredentials.from_json_keyfile_name('key.json')

now = int(time.time())
payload = {
    'iat': now,
    'exp': now + credentials.MAX_TOKEN_LIFETIME_SECS,
    'aud': 'https://www.googleapis.com/oauth2/v4/token',
    'iss': 'my-serviceaccount@fatty-acid.iam.gserviceaccount.com',
    'scope': 'my-serviceaccount@fatty-acid.iam.gserviceaccount.com'
}
signed_jwt = oauth2client.crypt.make_signed_jwt(credentials._signer, payload, key_id=credentials._private_key_id)
params = urllib.urlencode({
    'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
    'assertion': signed_jwt})
headers = {"Content-Type": "application/x-www-form-urlencoded"}
conn = httplib.HTTPSConnection("www.googleapis.com")
conn.request("POST", "/oauth2/v4/token", params, headers)
jwt = yaml.safe_load(conn.getresponse().read())


# header = {'Authorization': 'Bearer {}'.format(jwt['id_token'])}
header = {'Authorization': 'Bearer {}'.format(jwt['id_token'])}
url = "https://epsacc-dot-fatty-acid.appspot.com/svcstatus"
r = requests.request("GET", url=url, headers=header)
print r.content

ERROR MESSAGE when i run the client

{
 "code": 16,
 "message": "JWT validation failed: Issuer not allowed",
 "details": [
  {
   "@type": "type.googleapis.com/google.rpc.DebugInfo",
   "stackEntries": [],
   "detail": "auth"
  }
 ]
}

Can't figure out what's going on

Diego

Sarvani Vakkalanka

unread,

Apr 7, 2017, 11:44:42 AM4/7/17

to molte...@gmail.com, Google Cloud Endpoints

I don't see the audiences defined for the issuer in the security definitions. Please look at the following link for more information:

https://cloud.google.com/endpoints/docs/openapi-configuration

Here is a snippet from that link about audiences:

Thanks,

Sarvani

`x-google-audiences`

x-google-audiences: STRING

This extension is used in the OpenAPI securityDefinitions section to provide a list of JSON web tokens that are allowed to access the API. Values take the form of a comma separated string.

These three extensions are illustrated in the following example:


securityDefinitions:
  google_id_token:
    type: oauth2
    authorizationUrl: ""
    flow: implicit
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks-uri: "https://www.googleapis.com/oauth2/v1/certs"
    x-google-audiences:
      - "848149964201.apps.googleusercontent.com, 841077041629.apps.googleusercontent.com"

x-google-issuer: "my-service...@fatty-acid.iam.gserviceaccount.com"

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/aa41223f-549d-454a-b0bf-231ffb90aa5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks,

Sarvani

Reply all

Reply to author

Forward

0 new messages