New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tutorial of @app.route('/')
with authentication
#113
Comments
It depends what is making the request. The most common use case is either a service or user using a service account. In that case you would add the following to your goblet security definitions
then you would generate a token with the service account and attach to your request another option if you are using firebase auth on a web or mobile frontend is to simply pass that token and configure your security definition using the firebase client id.
i haven't used the other methods, but they should work similarly with the only difference being the token in the request Authorization header. |
Let's say the project where I created my service account is my-gcp-project and the service account name is my-service-account
The deployment is successful and the API config is in status Completed in the API Gateway Console. For the sake of the explanation, let's say the deployed API Gateway URL is https://goblet-my-function-26nu6048.ew.gateway.dev Here is the code of my local Flask App which I use to test the API Gateway. I found this code here GoogleCloudPlatform/python-docs-samples utils.py
app.py
settings.py
When I run the app, I am redirected to a Google sign in page instead of being authorized. Is it normal ? |
thats what api gateway will return if the auth is failing i beleive. i am not sure exactly why yours is failing, but below is how we are generating the bearer token in python without a service account key .
from the cli you can also try running |
All of this is really confusing... The process is really different depending on the library used. According to google.oauth2.service_account documentation :
So If I understand correctly, if you are using a service account :
But I think that the Open API spec used in the I'm trying the second option. |
After reading IAM Documentation : REST Resource: projects.serviceAccounts, I have a couple of remarks about the piece of code you suggested here :
I'm sure that I only partially understand the problem, my remarks are only meant to get a better understand of the messy Google APIs. |
@amirbtb thats good to know. they must have deprecated the signJwt recently, which is annoying since that was the easiest way I could figure out without having to use a key locally. I wish GCP had more robust documentation, since goblet in this case is just a pass through for auth handled by api gateway. I guess they still prefer using a private key to sign the jwts. This is essentially what i was doing with signJwt, but instead of having the private key downloaded I was making an api call. in terms of option1 and option2 all tokens should be provided as an Authorization: Bearer header. Another option is to create an api key , but it is not recommended since it is a static key so is vulnerable to man-in-the-middle-attacks I am curious though why your initial code was not working as expected. lets try using a different route say "/test" to make sure its not just the "/" thats not working. and then try printing out the |
ah. Looked at the depreciation note @amirbtb and they write So this is the new api endpoint they are supporting. |
I will work on getting an example together and add documentation, since it is not clear at all from GCP and I spent way too much time getting it to work before. |
just tested and worked with the following config .Not sure if it matters, but i used and this is the gcp api endpoint used for reference and no key required.
|
* Add documentation for service account authentication and jwt generation (#113 )
I'm getting this error :
I'm using a service account that has the following roles (and others not mentioned) :
The keyfile path of the service account is exported as I'm I missing something ? |
hmm so you are running this app locally using a service account passed into You should only need the What could be happening is it is using your personal credentials and not the service account. can you verify if you have the in my script i generate the credentials using |
I added On another lead : Did you setup something in particular related to OAuth in your project ? I didn't setup anything. Do you think that it can be related ? |
Hmm I don't think i set anything else up. I did run The script is actually going to use your credentials locally to call the gcp endpoint to then sign the jwt with the service account so that may be why it was in the logs. The only other permission that i have needed in other cases is the |
Maybe my issue is related to CORS since I use an |
that could be it. you can set
|
I'm trying to setup a Cloud Function with multiple routes. The endpoint must be private but I don't really know much about authentication in Google Cloud.
I've spend a lot of time reading Goblet docs Authentication Topic and all mentioned Google Docs + intensive research but I'm not sure how I should proceed : Do I have to setup something else in GCP ? (IAP, 0Auth) ?
The text was updated successfully, but these errors were encountered: