My Current Setup
我当前的设置
- Google Cloud Endpoints hosted on Google App Engine.
- Google Echo Tutorial (https://cloud.google.com/endpoints/docs/frameworks/python/get-started-frameworks-python)
- Google Echo教程(https://cloud.google.com/endpoints/docs/frameworks/python/get-started-frameworks-python)
- Google云端点托管在Google App Engine上。 Google Echo教程(https://cloud.google.com/endpoints/docs/frameworks/python/get-started-frameworks-python)
- Python local server making requests to the echo API.
- Python本地服务器向echo API发出请求。
The echo tutorial is up and running. I can make calls to open endpoints and the one requiring an API key using a python script on my machine. I have not been able to make an authorized API call with a Google ID token. None of the Google examples have worked so far.
echo教程已启动并正在运行。我可以在我的机器上使用python脚本调用打开端点和需要API密钥的端点。我无法使用Google ID令牌进行授权的API调用。到目前为止,Google的所有示例都没有奏效。
From my understanding, the workflow should be
根据我的理解,工作流程应该是
- Use a key file to authorize the service account to generate a JWT.
- 使用密钥文件授权服务帐户生成JWT。
- Use the JWT to generate a Google ID token.
- 使用JWT生成Google ID令牌。
Google Example: https://cloud.google.com/endpoints/docs/openapi/service-account-authentication#using_a_google_id_token (Key File) The code fails. Function get_id_token() return res['id_token'] fails with no id_token in res.
Google示例:https://cloud.google.com/endpoints/docs/openapi/service-account-authentication#using_a_google_id_token(密钥文件)代码失败。函数get_id_token()返回res ['id_token']失败,res中没有id_token。
Has anyone gotten the example to work? Does anyone have an example of making an authorized API call to an Endpoint API with a Google ID token from a service account?
有没有人得到这个例子?有没有人有一个使用服务帐户中的Google ID令牌对Endpoint API进行授权API调用的示例?
1 个解决方案
#1
1
The main issue was generating the JWT and the code that works for me is below. I have yet to find a better way to do this that works. If you know of a better way please submit your answers below or add a comment. The code that generates the Google ID Token from JWT is exactly from Google documentation here (https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/service_to_service_google_id_token/main.py) get_id_token function.
主要问题是生成JWT,下面是适用于我的代码。我还没有找到一个更好的方法来做到这一点。如果您知道更好的方法,请在下面提交您的答案或添加评论。从JWT生成Google ID令牌的代码完全来自Google文档(https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/service_to_service_google_id_token/main.py )get_id_token函数。
def generate_jwt(audience, json_keyfile, service_account_email):
"""Generates a signed JSON Web Token using a Google API Service Account.
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/google-jwt-client.py
"""
# Note: this sample shows how to manually create the JWT for the purposes
# of showing how the authentication works, but you can use
# google.auth.jwt.Credentials to automatically create the JWT.
# http://google-auth.readthedocs.io/en/latest/reference/google.auth.jwt.html#google.auth.jwt.Credentials
signer = google.auth.crypt.RSASigner.from_service_account_file(json_keyfile)
now = int(time.time())
expires = now + 3600 # One hour in seconds
payload = {
'iat': now,
'exp': expires,
'aud': 'https://www.googleapis.com/oauth2/v4/token',
# target_audience must match 'audience' in the security configuration in your
# openapi spec. It can be any string.
'target_audience': audience,
'iss': service_account_email
}
jwt = google.auth.jwt.encode(signer, payload)
return jwt
#1
1
The main issue was generating the JWT and the code that works for me is below. I have yet to find a better way to do this that works. If you know of a better way please submit your answers below or add a comment. The code that generates the Google ID Token from JWT is exactly from Google documentation here (https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/service_to_service_google_id_token/main.py) get_id_token function.
主要问题是生成JWT,下面是适用于我的代码。我还没有找到一个更好的方法来做到这一点。如果您知道更好的方法,请在下面提交您的答案或添加评论。从JWT生成Google ID令牌的代码完全来自Google文档(https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/service_to_service_google_id_token/main.py )get_id_token函数。
def generate_jwt(audience, json_keyfile, service_account_email):
"""Generates a signed JSON Web Token using a Google API Service Account.
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/clients/google-jwt-client.py
"""
# Note: this sample shows how to manually create the JWT for the purposes
# of showing how the authentication works, but you can use
# google.auth.jwt.Credentials to automatically create the JWT.
# http://google-auth.readthedocs.io/en/latest/reference/google.auth.jwt.html#google.auth.jwt.Credentials
signer = google.auth.crypt.RSASigner.from_service_account_file(json_keyfile)
now = int(time.time())
expires = now + 3600 # One hour in seconds
payload = {
'iat': now,
'exp': expires,
'aud': 'https://www.googleapis.com/oauth2/v4/token',
# target_audience must match 'audience' in the security configuration in your
# openapi spec. It can be any string.
'target_audience': audience,
'iss': service_account_email
}
jwt = google.auth.jwt.encode(signer, payload)
return jwt