我正在尝试设置2个Google Cloud Endpoints应用程序,以便第一个应用程序可以向第二个应用程序发出请求,该请求由JWT令牌保护。我正在使用此指南:
https://cloud.google.com/endpoints/docs/openapi/service-account-authentication#configure_auth
我已将请求中的JWT令牌成功附加到第二个应用程序。它显示在HTTP请求的Authorization: bearer部分中,并且我已验证该令牌有效。
如果我在第二个应用程序中向我的API方法发出请求而没有任何令牌,则该方法被成功调用。这不是我所期望的,因为我提供的链接中的文档指出:
在ESP将请求转发到您的API之前,ESP会验证:
JWT通过使用位于以下位置的公共密钥的签名 OpenAPI的x-google-jwks_uri字段中指定的URI 文献。 ...
因此,我期望如果没有有效的JWT令牌,将完全拒绝对该方法的访问。
在发出请求时,无论是否带有JWT令牌,我都不会将User注入到我的方法中,并且在请求中也不会得到以下任何内容(如建议的底部) Google文档指南):
{
"issuer": TOKEN_ISSUER,
"id": USER_ID,
"email" : USER_EMAIL
}
我不确定要使用JWT令牌保护第二个应用程序的安全。是什么原因造成的?我可以尝试/检查什么以验证我的安全配置?
这是我第二个应用程序的openapi.json:
{
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "myApp2.appspot.com"
},
"host": "myApp2.appspot.com",
"basePath": "/api",
"schemes": [
"https"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"securityDefinitions": {
"mySecurityDef": {
"type": "oauth2",
"authorizationUrl": "",
"flow": "implicit",
"x-google-issuer": "myApp2@myProject.iam.gserviceaccount.com",
"x-google-jwks_uri": "https://www.googleapis.com/robot/v1/metadata/x509/myApp2@myProject.iam.gserviceaccount.com",
"x-google-audience": "myApp2-api"
}
},
"paths": {
"/myApp2/v1/doStuff": {
"get": {
"operationId": "MyApp2DoStuff_1",
"responses": {
"200": {
"description": "A successful response"
}
},
"security" : [
{ "mySecurityDef": [ ] }
]
}
}
}
}
API方法定义:
@ApiMethod(name = "doStuff", path="doStuff", httpMethod = "get")
public void DoStuff_1(HttpServletRequest req, User user) {
HttpServletRequest myRequest = req;
}
API注释:
@Api(
name = "myApp2",
version = "v1",
namespace =
@ApiNamespace(
ownerDomain = "myApp2.appspot.com",
ownerName = "myApp2.appspot.com",
packagePath = ""
),
issuers = {
@ApiIssuer(
name = "myIssuerName",
issuer = "myApp2@myProject.iam.gserviceaccount.com",
jwksUri =
"https://www.googleapis.com/service_accounts/v1/metadata/x509/myApp2@myProject.iam.gserviceaccount.com"
)
},
issuerAudiences = {@ApiIssuerAudience(name = "myIssuerName", audiences = "myApp2-api")}
)