If you use the Google Auth Library for Python to authenticate an App Engine app to communicate with an app running on Compute Engine that uses the Extensible Service Proxy (ESP) as part of Cloud Endpoints with OpenAPI, you get an error response:
如果您使用Google Auth Library for Python对App Engine应用程序进行身份验证,以便与在Compute Engine上运行的应用程序进行通信,该应用程序使用可扩展服务代理(ESP)作为云端点与OpenAPI的一部分,则会收到错误响应:
{
"code": 16,
"message": "JWT validation failed: BAD_FORMAT",
"details": [{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}]
}
The only sample Cloud Endpoints code that I found doesn't use any library and instead builds the JSON Web Token (JWT) by hand and sets the proper HTTP header completely manually. Is there a way to do it with a standard library, so you get all the other benefits that come with it?
我找到的唯一示例Cloud Endpoints代码不使用任何库,而是手动构建JSON Web Token(JWT)并完全手动设置正确的HTTP头。有没有办法用标准库来实现它,所以你可以获得它带来的所有其他好处?
1 个解决方案
#1
1
The problem is caused by the fact that google.auth.app_engine.Credentials() does not include the aud claim in the JWTs that it builds, while ESP requires it. (I wish I found the Troubleshooting JWT Validation page earlier, it would have saved me hours I spent investigating this myself.)
问题是由于google.auth.app_engine.Credentials()在其构建的JWT中不包含aud声明,而ESP需要它。 (我希望我之前找到了JWT验证页面的故障排除页面,这样我自己就可以节省数小时的时间。)
Here is how to build credentials that ESP will accept:
以下是如何构建ESP将接受的凭据:
import google.auth.app_engine
import google.auth.jwt
from google.appengine.api import app_identity
AUDIENCE = '...'
credentials = google.auth.jwt.Credentials(
signer=google.auth.app_engine.Signer(),
issuer=app_identity.get_service_account_name(),
subject=app_identity.get_service_account_name(),
audience=AUDIENCE)
where AUDIENCE must match the x-google-audiences value in your OpenAPI file or your Cloud Endponts service name (see the troubleshooting doc linked to above for details).
其中AUDIENCE必须与您的OpenAPI文件中的x-google-audiences值或您的Cloud Endponts服务名称相匹配(有关详细信息,请参阅上面链接的疑难解答文档)。
This code even works with dev_appserver.py and a service account as long as you pass the --appidentity_private_key_path and --appidentity_email_address flags. But you'll need to convert your service account's private key into the format that dev_appserver.py accepts, because it doesn't support either of the formats that the Google Cloud Console can give you. See this bug comment for instructions.
只要您传递--appidentity_private_key_path和--appidentity_email_address标志,此代码甚至可以与dev_appserver.py和服务帐户一起使用。但是,您需要将服务帐户的私钥转换为dev_appserver.py接受的格式,因为它不支持Google Cloud Console可以为您提供的任何格式。有关说明,请参阅此错误评论。
#1
1
The problem is caused by the fact that google.auth.app_engine.Credentials() does not include the aud claim in the JWTs that it builds, while ESP requires it. (I wish I found the Troubleshooting JWT Validation page earlier, it would have saved me hours I spent investigating this myself.)
问题是由于google.auth.app_engine.Credentials()在其构建的JWT中不包含aud声明,而ESP需要它。 (我希望我之前找到了JWT验证页面的故障排除页面,这样我自己就可以节省数小时的时间。)
Here is how to build credentials that ESP will accept:
以下是如何构建ESP将接受的凭据:
import google.auth.app_engine
import google.auth.jwt
from google.appengine.api import app_identity
AUDIENCE = '...'
credentials = google.auth.jwt.Credentials(
signer=google.auth.app_engine.Signer(),
issuer=app_identity.get_service_account_name(),
subject=app_identity.get_service_account_name(),
audience=AUDIENCE)
where AUDIENCE must match the x-google-audiences value in your OpenAPI file or your Cloud Endponts service name (see the troubleshooting doc linked to above for details).
其中AUDIENCE必须与您的OpenAPI文件中的x-google-audiences值或您的Cloud Endponts服务名称相匹配(有关详细信息,请参阅上面链接的疑难解答文档)。
This code even works with dev_appserver.py and a service account as long as you pass the --appidentity_private_key_path and --appidentity_email_address flags. But you'll need to convert your service account's private key into the format that dev_appserver.py accepts, because it doesn't support either of the formats that the Google Cloud Console can give you. See this bug comment for instructions.
只要您传递--appidentity_private_key_path和--appidentity_email_address标志,此代码甚至可以与dev_appserver.py和服务帐户一起使用。但是,您需要将服务帐户的私钥转换为dev_appserver.py接受的格式,因为它不支持Google Cloud Console可以为您提供的任何格式。有关说明,请参阅此错误评论。