Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some endpoints need auth others dont. #846

Closed
td-gonzales opened this issue Aug 31, 2021 · 7 comments
Closed

Some endpoints need auth others dont. #846

td-gonzales opened this issue Aug 31, 2021 · 7 comments

Comments

@td-gonzales
Copy link

We are implementing API-GW and are using jwt. However I would like to keep our token service behind the GW. Is there a way to force all endpoints to have authentication except for ones specifically specified?

Or should we plan on having two GWs? One for auth and one for unauth requests?
@td-gonzales
Copy link
Author

once I added x-google-allow: all This seems to have started working.

@td-gonzales
Copy link
Author

Okay now it's not working again.

@td-gonzales td-gonzales reopened this Aug 31, 2021
@nareddyt
Copy link
Contributor

Can you clarify your deployment architecture? Are you using ESPv2 on Cloud Run, API Gateway, or ESP as a sidecar on GKE/GCE? Is your backend an OpenAPI REST backend?

@nareddyt
Copy link
Contributor

If you are talking about frontend authentication (having ESP verify the JWT from the client is valid), you can configure it per-method. From https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id#configuring_esp_to_support_client_authentication

Add a security section at either the API level to apply to the entire API, or at the method level to apply to a specific method.

So you can apply the auth to all your methods except the token service ones.

@td-gonzales
Copy link
Author

We are using API-GW to call Cloud Functions. Here is some of our API Config.

x-google-backend:
  address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-be-198765"
  disable_auth: true

x-google-allow: all

securityDefinitions:
  accept-jwt-from-svc-acct:
...

security:
  - accept-jwt-from-svc-acct: []

paths:
  /functionHello:
    get: 
      summary: test cloud function
      operationId: test
      x-google-backend: 
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        disable_auth: true 
      responses: 
        '200':
          description: success
  /functionSecured:
    get: 
      summary: test a secured function
      operationId: "secure test"
      x-google-backend:
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        disable_auth: false

It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt. However when I call some random endpoint like joke I go to the backend and that doesn't require auth.

@nareddyt
Copy link
Contributor

nareddyt commented Sep 1, 2021

I see 2 issues here.

It's my understanding that I should be able to call functionHello without a jwt token but when I call functionHello it requires a jwt.

There are two different JWT tokens that ESPv2 / API-GW handles:

Client app ----- (client JWT) -----> ESPv2 ------ (ESPv2 JWT) -----> Cloud Function Backend

You want to configure access control for the client JWT, not the ESPv2 JWT. x-google-backend.disable_auth is configuring how ESPv2 generates the ESPv2 JWT to call the CF Backend (notice it is in the x-google-backend section).

Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#disable_auth

You can remove these disable_auth lines. Instead, you configure security via accept-jwt-from-svc-acct at a per-method level.

However when I call some random endpoint like joke I go to the backend and that doesn't require auth.

That is because you set x-google-allow: all. This allows unregistered paths like /joke to pass through to the backend. I suggest you remove this configuration. Please also remove the top-level x-google-backend

Ref: https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-allow

I captured all the changes in the config below:

# >>> Remove top-level x-google-backend <<<

securityDefinitions:
  accept-jwt-from-svc-acct:
...

# >>> Remove top-level security <<<

paths:
  /functionHello:
    get: 
      summary: test cloud function
      operationId: test
      x-google-backend: 
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        # >>> Remove disable_auth <<<
      responses: 
        '200':
          description: success
  /functionSecured:
    get: 
      summary: test a secured function
      operationId: "secure test"
      # >>> Move security to only this method <<<
      security:
        - accept-jwt-from-svc-acct: []
      x-google-backend:
        address: "https://us-central1-${projectId}.cloudfunctions.net/function-test-234399dfj3r4"
        # >>> Remove disable_auth <<<

@td-gonzales
Copy link
Author

Thank you I got the auth issue solved with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@td-gonzales @nareddyt