google-cloud-platformgoogle-cloud-api-gateway

GCP API Gateway - Authentication jwt

I want to use my Google Functions through API Gateway with the same behaviour, just with a clean API.

Since the beginning, I'm calling functions with this method:

curl "https://URL-OF-FUNCTION/items" -H "Authorization: Bearer $(gcloud auth print-identity-token)"

And it's working. Without the token I can't use public URL. This is the behaviour I want to keep!

But with Gateway API, I can't manage to use the same bearer token.

With this type of configuration (Terraform) :

swagger: "2.0"
info:
  title: ${google_api_gateway_api.api.api_id}
  description: xxxxxxxxxxxxx
  Version: 0.0.1
securityDefinitions:
  jwt:
    type: "oauth2"
    authorizationUrl: ""
    flow: "implicit"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
schemes:
  - https
paths:
  "/items":
    get:
      x-google-backend:
        address: https://URL-OF-FUNCTION/items
      security:
        - jwt: []
      description: xxx
      operationId: "items"
      parameters: xxx
      responses: xxx

It's not working, I've try some things find all over the web:

x-google-issuer: "https://accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"

--> {"message":"Audiences in Jwt are not allowed","code":403}

Or :

x-google-issuer: "${var.service_account_email}"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/${var.service_account_email}"

--> {"message":"Jwt issuer is not configured","code":401}

To be perfectly fair, I'm not so sure about what is the next direction to looking for.

Please help.

Solution

  • After trying multiple things and find some clues here : GCP API Gateway JWT always returning 403

    I make it work with this:

        swagger: "2.0"
info:
  title: ${google_api_gateway_api.api.api_id}
  description: xxxxxxxxxxxxx
  Version: 0.0.1
  securityDefinitions:
    gcp_jwt:
      authorizationUrl: ""
      flow: "implicit"
      type: "oauth2"
      x-google-issuer: 'https://accounts.google.com'
      x-google-jwks_uri: 'https://www.googleapis.com/oauth2/v3/certs'
      x-google-audiences: 'xxxxxx.apps.googleusercontent.com'
schemes:
  - https
paths:
  "/items":
    get:
      x-google-backend:
        address: https://URL-OF-FUNCTION/items
      security:
        - gcp_jwt: []
      description: xxx
      operationId: "items"
      parameters: xxx
      responses: xxx

    With xxxxxx.apps.googleusercontent.com the aud parameter founded here :

    curl "https://oauth2.googleapis.com/tokeninfo?id_token=$(gcloud auth print-identity-token)"

    But I'm not sure of the implications of using it like this. I can't manage to find where is generated this client id. So I'm not sure of which of entities will be able to use this.

    It seems ok to the other users. But what about other GCP cloud app / function & coe ? And will it be same during the next months ?