无法验证python云函数中的JWT访问令牌

时间:2019-04-19 22:22:59

标签: python jwt google-cloud-functions google-oauth

我正在尝试向我的python Cloud Functions添加授权。我在GCP项目中创建了一个服务帐户并生成了密钥。调用云功能的测试客户端代码(不在GCP中)如下所示:

from google.oauth2 import service_account
from google.auth.transport.requests import AuthorizedSession

SERVICE_ACCOUNT_FILE = '<my_project_key_file>.json'

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, 
scopes=['https://www.googleapis.com/auth/userinfo.email'])
authed_session = AuthorizedSession(credentials)
response = authed_session.get('https://<my_project>.cloudfunctions.net/authValidation')

我知道此代码正确地从Google获取了JWT承载令牌,并已添加到对我的Cloud Function的调用中的Authorization标头中。我只是很难在Cloud Function中验证该令牌。该代码的相关部分如下所示:

from google.oauth2 import id_token
from google.auth.transport import requests

def hello_world(request):

    #  from https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library    
    idinfo = id_token.verify_oauth2_token(request.headers.get('Authorization')[7:]), requests.Request())

我知道id令牌是正确的,因为手动验证(使用https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxx)返回的正是我期望的结果。

我得到的错误记录堆栈跟踪是:

Traceback (most recent call last):
  File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 346, in run_http_function
    result = _function_handler.invoke_user_function(flask.request)
  File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 217, in invoke_user_function
    return call_user_function(request_or_event)
  File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 210, in call_user_function
    return self._user_function(request_or_event)
  File "/user_code/main.py", line 17, in hello_world
    idinfo = id_token.verify_oauth2_token(request.headers.get('Authorization')[7:], requests.Request())
  File "/env/local/lib/python3.7/site-packages/google/oauth2/id_token.py", line 141, in verify_oauth2_token
    certs_url=_GOOGLE_OAUTH2_CERTS_URL)
  File "/env/local/lib/python3.7/site-packages/google/oauth2/id_token.py", line 122, in verify_token
    return jwt.decode(id_token, certs=certs, audience=audience)
  File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 219, in decode
    header, payload, signed_section, signature = _unverified_decode(token)
  File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 139, in _unverified_decode
    header = _decode_jwt_segment(encoded_header)
  File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 112, in _decode_jwt_segment
    six.raise_from(new_exc, caught_exc)
  File "<string>", line 3, in raise_from
ValueError: Can't parse segment: b'\xc9\xad\xbd'

我在这里想念什么?谢谢

1 个答案:

答案 0 :(得分:0)

通过在本地系统中设置GOOGLE_APPLICATION_CREDENTIOAL环境变量,您的客户端将在该服务帐户的上下文中运行,而不必担心身份验证。您无需编码密钥文件的路径。

也适用于部署云功能,并在本地进行测试。部署Cloud Function时,它将作为AppEngine默认服务帐户或通过--service-account参数指定的服务帐户运行: https://cloud.google.com/sdk/gcloud/reference/functions/deploy

参考: https://cloud.google.com/docs/authentication/production

这样,您无需将密钥推入服务器或在git中担心它,并且在本地运行或远程运行时也无需更改任何代码。

相关问题
最新问题