I'm trying to create a Google Cloud Endpoints in an AppEngine Standard environment service with 2 methods of authentication: apiKey and default GAE service account.
我正在尝试使用两种身份验证方法在AppEngine Standard环境服务中创建Google Cloud Endpoints:apiKey和默认GAE服务帐户。
- apiKey authentication is for external systems to be able to query the API
- apiKey身份验证是指外部系统能够查询API
- default GAE authentication is for other services (formerly known as "modules") within the same AppEngine app (XXXX) to connect to the endpoint (e.g. service1-dot-XXXX.appspot.com to make requests to an endpoint in api-dot-XXXX.appspot.com)
- 默认GAE身份验证适用于同一AppEngine应用程序(XXXX)中的其他服务(以前称为“模块”)以连接到端点(例如service1-dot-XXXX.appspot.com,以便在api-dot中向端点发出请求 - XXXX.appspot.com)
The apiKey authentication works just fine, but the "service_to_service_gae" authentication gives:
apiKey身份验证工作正常,但“service_to_service_gae”身份验证提供:
401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.
I am decorating the endpoint with:
我用以下方法装饰端点:
@endpoints.api(
name='widgets',
version='v1',
base_path='/api/',
api_key_required=True,
allowed_client_ids=['XXXX@appspot.gserviceaccount.com'])
class WidgetsApi(remote.Service):
...
And calling the API with this code based on the sample client from github
并使用此代码基于github中的示例客户端调用API
SERVICE_ACCOUNT_EMAIL = 'XXXX@appspot.gserviceaccount.com'
def generate_jwt():
"""Generates a signed JSON Web Token using the Google App Engine default
service account."""
now = int(time.time())
header_json = json.dumps({
"typ": "JWT",
"alg": "RS256"})
payload_json = json.dumps({
"iat": now,
# expires after one hour.
"exp": now + 3600,
# iss is the service account email.
"iss": SERVICE_ACCOUNT_EMAIL,
"sub": SERVICE_ACCOUNT_EMAIL,
"email": SERVICE_ACCOUNT_EMAIL,
"aud": 'https://api-dot-XXXX.appspot.com',
})
header_and_payload = '{}.{}'.format(
base64.urlsafe_b64encode(header_json),
base64.urlsafe_b64encode(payload_json))
(key_name, signature) = app_identity.sign_blob(header_and_payload)
signed_jwt = '{}.{}'.format(
header_and_payload,
base64.urlsafe_b64encode(signature))
return signed_jwt
def make_request(signed_jwt):
"""Makes a request to the auth info endpoint for Google JWTs."""
headers = {'Authorization': 'Bearer {}'.format(signed_jwt)}
conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com')
url = '/api/widgets/v1/list'
conn.request("POST", url, urllib.urlencode({'search': ''}), headers)
res = conn.getresponse()
conn.close()
return res.read()
Am I forgetting something in the endpoint decorator or any other configuration? Or maybe the endpoint decorator accepts only one method of authentication? I would thing making a call from service to service within the same GAE std instance would be straight forward. The sample client is kind of confusing (at least for me) e.g. make_request makes a request ('/auth/info/googlejwt') to get the jwt token, but when do you call the actual endpoint?
我忘记了端点装饰器或任何其他配置中的某些内容吗?或者端点装饰器可能只接受一种身份验证方法?我想在同一个GAE标准实例中从服务到服务进行调用是直截了当的。样本客户端有点令人困惑(至少对我而言),例如make_request发出请求('/ auth / info / googlejwt')以获取jwt令牌,但是什么时候调用实际端点?
Thanks in advance, happy New Year!!!
提前谢谢,新年快乐!
1 个解决方案
#1
0
When api_key_required is true, you have to provide an API key in the request in addition to any JWTs.
当api_key_required为true时,除了任何JWT之外,您还必须在请求中提供API密钥。
#1
0
When api_key_required is true, you have to provide an API key in the request in addition to any JWTs.
当api_key_required为true时,除了任何JWT之外,您还必须在请求中提供API密钥。