From 24df2941ed704806463b753b7c280803ac4ed84c Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 30 Jan 2019 16:07:56 -0800 Subject: [PATCH 1/4] added region tags to auth_info --- endpoints/getting-started/main.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/endpoints/getting-started/main.py b/endpoints/getting-started/main.py index 66de99a60ab..8ce27ace860 100644 --- a/endpoints/getting-started/main.py +++ b/endpoints/getting-started/main.py @@ -23,7 +23,9 @@ import logging from flask import Flask, jsonify, request + from flask_cors import cross_origin + from six.moves import http_client @@ -45,6 +47,7 @@ def echo(): return jsonify({'message': message}) +# [START endpoints_auth_info_backend] def auth_info(): """Retrieves the authenication information from Google Cloud Endpoints.""" encoded_info = request.headers.get('X-Endpoint-API-UserInfo', None) @@ -56,6 +59,7 @@ def auth_info(): user_info = {'id': 'anonymous'} return jsonify(user_info) +# [START endpoints_auth_info_backend] @app.route('/auth/info/googlejwt', methods=['GET']) From ce87c18657dc081c8e06c44f19f399d5a8702b2b Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 30 Jan 2019 16:08:22 -0800 Subject: [PATCH 2/4] cleaned up auth between services functions; added region tags --- .../clients/google-jwt-client.py | 79 +++++++++---------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/endpoints/getting-started/clients/google-jwt-client.py b/endpoints/getting-started/clients/google-jwt-client.py index ad1c3d74f89..af6e7093177 100644 --- a/endpoints/getting-started/clients/google-jwt-client.py +++ b/endpoints/getting-started/clients/google-jwt-client.py @@ -22,64 +22,55 @@ import google.auth.crypt import google.auth.jwt -import requests -from six.moves import urllib +import requests -def generate_jwt(service_account_file): - """Generates a signed JSON Web Token using a Google API Service Account.""" - # Note: this sample shows how to manually create the JWT for the purposes - # of showing how the authentication works, but you can use - # google.auth.jwt.Credentials to automatically create the JWT. - # http://google-auth.readthedocs.io/en/latest/reference - # /google.auth.jwt.html#google.auth.jwt.Credentials +# [START endpoints_generate_jwt_sa] +def generate_jwt(sa_keyfile, + sa_email='account@project-id.iam.gserviceaccount.com', + audience='https://project-id.appspot.com', + expiry_length=3600): - signer = google.auth.crypt.RSASigner.from_service_account_file( - service_account_file) + """Generates a signed JSON Web Token using a Google API Service Account.""" now = int(time.time()) - expires = now + 3600 # One hour in seconds + # build pyload payload = { 'iat': now, - 'exp': expires, - # aud must match 'audience' in the security configuration in your - # swagger spec. It can be any string. - 'aud': 'echo.endpoints.sample.google.com', + # expires after 'expirary_length' seconds. + "exp": now + expiry_length, # iss must match 'issuer' in the security configuration in your - # swagger spec. It can be any string. - 'iss': 'jwt-client.endpoints.sample.google.com', - # sub and email are mapped to the user id and email respectively. - 'sub': '12345678', - 'email': 'user@example.com' + # swagger spec (e.g. service account email). It can be any string. + 'iss': sa_email, + # aud must be either your Endpoints service name, or match the value + # specified as the 'x-google-audience' in the OpenAPI document. + 'aud': audience, + # sub and email should match the service account's email address + 'sub': sa_email, + 'email': sa_email } + # sign with keyfile + signer = google.auth.crypt.RSASigner.from_service_account_file(sa_keyfile) jwt = google.auth.jwt.encode(signer, payload) - return jwt +# [END endpoints_generate_jwt_sa] -def make_request(host, api_key, signed_jwt): - """Makes a request to the auth info endpoint for Google JWTs.""" - url = urllib.parse.urljoin(host, '/auth/info/googlejwt') - params = { - 'key': api_key - } +# [START endpoints_jwt_request] +def make_jwt_request(signed_jwt, url='https://project-id.appspot.com'): + """Makes an authorized request to the endpoint""" headers = { - 'Authorization': 'Bearer {}'.format(signed_jwt) + 'Authorization': 'Bearer {}'.format(signed_jwt), + 'content-type': 'application/json' } - - response = requests.get(url, params=params, headers=headers) + response = requests.get(url, headers=headers) response.raise_for_status() return response.text - - -def main(host, api_key, service_account_file): - signed_jwt = generate_jwt(service_account_file) - response = make_request(host, api_key, signed_jwt) - print(response) +# [END endpoints_jwt_request] if __name__ == '__main__': @@ -89,11 +80,19 @@ def main(host, api_key, service_account_file): parser.add_argument( 'host', help='Your API host, e.g. https://your-project.appspot.com.') parser.add_argument( - 'api_key', help='Your API key.') + 'audience', help='The aud entry for the JWT') parser.add_argument( - 'service_account_file', + 'sa_path', help='The path to your service account json file.') + parser.add_argument( + 'sa_email', + help='The email address for the service account.') args = parser.parse_args() - main(args.host, args.api_key, args.service_account_file) + expiry_length = 3600 + keyfile_jwt = generate_jwt(args.sa_path, + args.sa_email, + args.audience, + expiry_length) + print(make_jwt_request(keyfile_jwt, args.host)) From 28e6e1839370ad57989919c615838bec5ddec4f4 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 6 Feb 2019 14:01:08 -0800 Subject: [PATCH 3/4] fixed typo --- endpoints/getting-started/clients/google-jwt-client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/endpoints/getting-started/clients/google-jwt-client.py b/endpoints/getting-started/clients/google-jwt-client.py index af6e7093177..01e6835904c 100644 --- a/endpoints/getting-started/clients/google-jwt-client.py +++ b/endpoints/getting-started/clients/google-jwt-client.py @@ -36,7 +36,7 @@ def generate_jwt(sa_keyfile, now = int(time.time()) - # build pyload + # build payload payload = { 'iat': now, # expires after 'expirary_length' seconds. From 649335881bb5d167595c40bd0a90b22fb9aa12f0 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 6 Feb 2019 14:21:09 -0800 Subject: [PATCH 4/4] removed GAE specific placeholders --- endpoints/getting-started/clients/google-jwt-client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/endpoints/getting-started/clients/google-jwt-client.py b/endpoints/getting-started/clients/google-jwt-client.py index e481208b9bb..533816c6082 100644 --- a/endpoints/getting-started/clients/google-jwt-client.py +++ b/endpoints/getting-started/clients/google-jwt-client.py @@ -29,7 +29,7 @@ # [START endpoints_generate_jwt_sa] def generate_jwt(sa_keyfile, sa_email='account@project-id.iam.gserviceaccount.com', - audience='https://project-id.appspot.com', + audience='your-service-name', expiry_length=3600): """Generates a signed JSON Web Token using a Google API Service Account.""" @@ -61,7 +61,7 @@ def generate_jwt(sa_keyfile, # [START endpoints_jwt_request] -def make_jwt_request(signed_jwt, url='https://project-id.appspot.com'): +def make_jwt_request(signed_jwt, url='https://your-endpoint.com'): """Makes an authorized request to the endpoint""" headers = { 'Authorization': 'Bearer {}'.format(signed_jwt),