使用默认 GAE 服务帐户向端点(Std env)进行身份验证给出“401 方法不允许未确定身份的呼叫者”
Authenticating to Endpoints (Std env) with default GAE service account is giving "401 Method does not allow callers without established identity"
我正在尝试使用两种身份验证方法在 AppEngine 标准环境服务中创建 Google Cloud Endpoints:api密钥和默认 GAE 服务帐户。
- api密钥认证是为了让外部系统能够查询API
- 默认 GAE 身份验证用于同一 AppEngine 应用程序 (XXXX) 中的其他服务(以前称为 "modules")连接到端点(例如 service1-dot-XXXX.appspot.com 向api-dot-XXXX.appspot.com)
中的端点
api密钥验证工作正常,但“service_to_service_gae”验证给出:
401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.
我正在用以下方式装饰端点:
@endpoints.api(
name='widgets',
version='v1',
base_path='/api/',
api_key_required=True,
allowed_client_ids=['XXXX@appspot.gserviceaccount.com'])
class WidgetsApi(remote.Service):
...
使用此代码调用 API
SERVICE_ACCOUNT_EMAIL = 'XXXX@appspot.gserviceaccount.com'
def generate_jwt():
"""Generates a signed JSON Web Token using the Google App Engine default
service account."""
now = int(time.time())
header_json = json.dumps({
"typ": "JWT",
"alg": "RS256"})
payload_json = json.dumps({
"iat": now,
# expires after one hour.
"exp": now + 3600,
# iss is the service account email.
"iss": SERVICE_ACCOUNT_EMAIL,
"sub": SERVICE_ACCOUNT_EMAIL,
"email": SERVICE_ACCOUNT_EMAIL,
"aud": 'https://api-dot-XXXX.appspot.com',
})
header_and_payload = '{}.{}'.format(
base64.urlsafe_b64encode(header_json),
base64.urlsafe_b64encode(payload_json))
(key_name, signature) = app_identity.sign_blob(header_and_payload)
signed_jwt = '{}.{}'.format(
header_and_payload,
base64.urlsafe_b64encode(signature))
return signed_jwt
def make_request(signed_jwt):
"""Makes a request to the auth info endpoint for Google JWTs."""
headers = {'Authorization': 'Bearer {}'.format(signed_jwt)}
conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com')
url = '/api/widgets/v1/list'
conn.request("POST", url, urllib.urlencode({'search': ''}), headers)
res = conn.getresponse()
conn.close()
return res.read()
我是不是忘记了端点装饰器或任何其他配置中的某些内容?或者端点装饰器可能只接受一种身份验证方法?
我认为在同一个 GAE std 实例中从一个服务调用另一个服务是很直接的。 sample client is kind of confusing (at least for me) e.g. make_request 发出请求('/auth/info/googlejwt')以获取 jwt 令牌,但您何时调用实际端点?
提前致谢,新年快乐!!!
当 api_key_required 为真时,除了 任何 JWT 之外,您还必须在请求中提供 API 密钥 。
我正在尝试使用两种身份验证方法在 AppEngine 标准环境服务中创建 Google Cloud Endpoints:api密钥和默认 GAE 服务帐户。
- api密钥认证是为了让外部系统能够查询API
- 默认 GAE 身份验证用于同一 AppEngine 应用程序 (XXXX) 中的其他服务(以前称为 "modules")连接到端点(例如 service1-dot-XXXX.appspot.com 向api-dot-XXXX.appspot.com) 中的端点
api密钥验证工作正常,但“service_to_service_gae”验证给出:
401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.
我正在用以下方式装饰端点:
@endpoints.api(
name='widgets',
version='v1',
base_path='/api/',
api_key_required=True,
allowed_client_ids=['XXXX@appspot.gserviceaccount.com'])
class WidgetsApi(remote.Service):
...
SERVICE_ACCOUNT_EMAIL = 'XXXX@appspot.gserviceaccount.com'
def generate_jwt():
"""Generates a signed JSON Web Token using the Google App Engine default
service account."""
now = int(time.time())
header_json = json.dumps({
"typ": "JWT",
"alg": "RS256"})
payload_json = json.dumps({
"iat": now,
# expires after one hour.
"exp": now + 3600,
# iss is the service account email.
"iss": SERVICE_ACCOUNT_EMAIL,
"sub": SERVICE_ACCOUNT_EMAIL,
"email": SERVICE_ACCOUNT_EMAIL,
"aud": 'https://api-dot-XXXX.appspot.com',
})
header_and_payload = '{}.{}'.format(
base64.urlsafe_b64encode(header_json),
base64.urlsafe_b64encode(payload_json))
(key_name, signature) = app_identity.sign_blob(header_and_payload)
signed_jwt = '{}.{}'.format(
header_and_payload,
base64.urlsafe_b64encode(signature))
return signed_jwt
def make_request(signed_jwt):
"""Makes a request to the auth info endpoint for Google JWTs."""
headers = {'Authorization': 'Bearer {}'.format(signed_jwt)}
conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com')
url = '/api/widgets/v1/list'
conn.request("POST", url, urllib.urlencode({'search': ''}), headers)
res = conn.getresponse()
conn.close()
return res.read()
我是不是忘记了端点装饰器或任何其他配置中的某些内容?或者端点装饰器可能只接受一种身份验证方法? 我认为在同一个 GAE std 实例中从一个服务调用另一个服务是很直接的。 sample client is kind of confusing (at least for me) e.g. make_request 发出请求('/auth/info/googlejwt')以获取 jwt 令牌,但您何时调用实际端点?
提前致谢,新年快乐!!!
当 api_key_required 为真时,除了 任何 JWT 之外,您还必须在请求中提供 API 密钥 。