带有Firebase身份验证的ESPv2的JWT验证失败

时间:2020-09-01 17:30:48

标签: google-cloud-platform firebase-authentication google-cloud-functions google-cloud-endpoints google-api-gateway

我正在使用Cloud functions with ESPV2Firebase authentication and API Management构建经过身份验证的Cloud函数。身份验证后从Firebase获得JWT令牌后,我尝试将curl中的令牌与Authorization链接为Bearer。在邮递员中尝试时遇到“ JWT验证失败”的提示。从客户端应用程序尝试时出现“错误请求”。除了链接中提到的设置之外,我在发出请求之前是否还需要做其他事情?

根据要求更新更多详细信息 

swagger: "2.0"
info:
  title: My API Endpoints
  description: My API Endpoints
  version: 1.0.0
host: myapi-abcdefg.a.run.app
schemes:
  - https
produces:
  - application/json
securityDefinitions:
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/fan-demand"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
    x-google-audiences: "my-google-project-id"
paths:
  /getevents:
    get:
      summary: Get Events
      operationId: getevents
      x-google-backend:
        address: https://us-central1-my-google-project-id.cloudfunctions.net/getevents
        protocol: h2
      security:
        - firebase: []
      responses:
        "200":
          description: A successful response
          schema:
            type: string
        "403":
          description: Failed to authenticate

部署此服务后,我使用Firebase Dart SDK中的getIdToken()方法从Firebase获取了ID令牌。 JWT令牌采用Header.payload.tail格式。然后,将令牌与Authorization和id令牌一起添加到Bearer 标题中,并得到以下响应。 enter image description here

更新: 我使用https://cloud.google.com/api-gateway/docs/authenticating-users-firebase而不是ESP尝试了新的API Gateway产品。

我的配置: 

swagger: "2.0"
info:
  title: My API Endpoints
  description: My API Endpoints
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
securityDefinitions:
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/my-project"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
    x-google-audiences: "my-project"
paths:
  /getevents:
    get:
      summary: Get Events
      operationId: getevents
      x-google-backend:
        address: https://us-central1-my-project.cloudfunctions.net/getevents
      security:
        - firebase: []
      responses:
        "200":
          description: A successful response
          schema:
            type: string
        "403":
          description: Failed to authenticate

客户端代码: 客户端是用dart开发的,userhttps://pub.dev/documentation/firebase_auth/latest/firebase_auth/User/getIdToken.html的firebase auth对象

user.getIdToken().then((token) async {
  final response = await http.get(
      Uri.parse(
          'https://mygateway/getevents'),
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': 'Bearer $token',
      });
  print('Token : ${token}');
  print(response.body);
});

我得到了答复

403禁止访问-您的客户无权获取URL

1 个答案:

答案 0 :(得分:0)

没有ESP

云功能需要公开(使用allUsers部署)才能使用Firebase身份验证。

注意:

Unlike Google Sign-in above, your function is doing the authentication;
therefore, you will be billed for unauthenticated requests since the function must do work to validate the token.

Link to relevant documentation

使用ESP

如果要在其ESPv2前面使用云功能,则需要为ESP创建一个特定的IAM,以能够私密触发云功能。

To provide API management for Cloud Functions, you deploy the prebuilt ESPv2 container to Cloud Run.

You then secure your functions by using Cloud Functions IAM so that ESPv2 can invoke them.

Link to relevant documentation

相关问题
最新问题