使用默认GAE服务帐户对端点(Std env)进行身份验证正在提供" 401方法不允许没有已建立身份的呼叫者"

时间:2018-01-03 23:56:07

标签: python google-app-engine google-cloud-endpoints

我尝试使用两种身份验证方法在AppEngine标准环境服务中创建Google Cloud端点:apiKey和默认GAE服务帐户。

  • apiKey身份验证是指外部系统能够查询API
  • 默认GAE身份验证适用于同一AppEngine应用程序(XXXX)中的其他服务(以前称为" modules")以连接到端点(例如service1-dot-XXXX.appspot.com以发出请求到api-dot-XXXX.appspot.com中的端点)

apiKey身份验证工作得很好,但是" service_to_service_gae"身份验证给出:

401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.

我用以下内容装饰端点:

@endpoints.api(
    name='widgets',
    version='v1',
    base_path='/api/',
    api_key_required=True,
    allowed_client_ids=['XXXX@appspot.gserviceaccount.com'])

class WidgetsApi(remote.Service):
... 

使用此代码根据sample client from github

调用API
SERVICE_ACCOUNT_EMAIL = 'XXXX@appspot.gserviceaccount.com'
def generate_jwt():
  """Generates a signed JSON Web Token using the Google App Engine default
  service account."""
  now = int(time.time())

  header_json = json.dumps({
      "typ": "JWT",
      "alg": "RS256"})

  payload_json = json.dumps({
      "iat": now,
      # expires after one hour.
      "exp": now + 3600,
      # iss is the service account email.
      "iss": SERVICE_ACCOUNT_EMAIL,
      "sub": SERVICE_ACCOUNT_EMAIL,
      "email": SERVICE_ACCOUNT_EMAIL,
      "aud": 'https://api-dot-XXXX.appspot.com',
  })

  header_and_payload = '{}.{}'.format(
      base64.urlsafe_b64encode(header_json),
      base64.urlsafe_b64encode(payload_json))
  (key_name, signature) = app_identity.sign_blob(header_and_payload)
  signed_jwt = '{}.{}'.format(
      header_and_payload,
      base64.urlsafe_b64encode(signature))
  return signed_jwt

def make_request(signed_jwt):
  """Makes a request to the auth info endpoint for Google JWTs."""    
  headers = {'Authorization': 'Bearer {}'.format(signed_jwt)}
  conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com')
  url = '/api/widgets/v1/list'
  conn.request("POST", url, urllib.urlencode({'search': ''}), headers)
  res = conn.getresponse()
  conn.close()
  return res.read()

我是否忘记了端点装饰器或任何其他配置中的某些内容?或者端点装饰器只接受一种身份验证方法? 我想在同一个GAE标准实例中从服务到服务进行调用是直截了当的。 sample client有点令人困惑(至少对我而言),例如make_request发出请求(' / auth / info / googlejwt')以获取jwt令牌,但什么时候调用实际端点?

提前致谢,新年快乐!!!

1 个答案:

答案 0 :(得分:1)

api_key_required为真时,除了任何JWT之外,您还必须在请求中提供API密钥。