我尝试使用两种身份验证方法在AppEngine标准环境服务中创建Google Cloud端点:apiKey和默认GAE服务帐户。
apiKey身份验证工作得很好,但是" service_to_service_gae"身份验证给出:
401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.
我用以下内容装饰端点:
@endpoints.api(
name='widgets',
version='v1',
base_path='/api/',
api_key_required=True,
allowed_client_ids=['XXXX@appspot.gserviceaccount.com'])
class WidgetsApi(remote.Service):
...
使用此代码根据sample client from github
调用APISERVICE_ACCOUNT_EMAIL = 'XXXX@appspot.gserviceaccount.com'
def generate_jwt():
"""Generates a signed JSON Web Token using the Google App Engine default
service account."""
now = int(time.time())
header_json = json.dumps({
"typ": "JWT",
"alg": "RS256"})
payload_json = json.dumps({
"iat": now,
# expires after one hour.
"exp": now + 3600,
# iss is the service account email.
"iss": SERVICE_ACCOUNT_EMAIL,
"sub": SERVICE_ACCOUNT_EMAIL,
"email": SERVICE_ACCOUNT_EMAIL,
"aud": 'https://api-dot-XXXX.appspot.com',
})
header_and_payload = '{}.{}'.format(
base64.urlsafe_b64encode(header_json),
base64.urlsafe_b64encode(payload_json))
(key_name, signature) = app_identity.sign_blob(header_and_payload)
signed_jwt = '{}.{}'.format(
header_and_payload,
base64.urlsafe_b64encode(signature))
return signed_jwt
def make_request(signed_jwt):
"""Makes a request to the auth info endpoint for Google JWTs."""
headers = {'Authorization': 'Bearer {}'.format(signed_jwt)}
conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com')
url = '/api/widgets/v1/list'
conn.request("POST", url, urllib.urlencode({'search': ''}), headers)
res = conn.getresponse()
conn.close()
return res.read()
我是否忘记了端点装饰器或任何其他配置中的某些内容?或者端点装饰器只接受一种身份验证方法? 我想在同一个GAE标准实例中从服务到服务进行调用是直截了当的。 sample client有点令人困惑(至少对我而言),例如make_request发出请求(' / auth / info / googlejwt')以获取jwt令牌,但什么时候调用实际端点?
提前致谢,新年快乐!!!
答案 0 :(得分:1)
当api_key_required
为真时,除了任何JWT之外,您还必须在请求中提供API密钥。