We are trying to use EspAuthenticator to secure our endpoint as described in the documentation. One of the clients is a Java server application running on GKE, and we adopted the Python code from Service-to-Service Authentication documentation page to use the GKE service account to sign a JWT assertion and send it to the accounts.google.com authorization server to get a Google ID token for further requests. Here is the decoded token payload:
{
"iss": "accounts.google.com",
"iat": 1482191821,
"exp": 1482195421,
"aud": "https://[SERVICE_NAME]",
"sub": "118282247168390088452",
"email_verified": true,
"azp": "[SERVICE_ACCOUNT_EMAIL]",
"email": "[SERVICE_ACCOUNT_EMAIL]"
}Note that the audience (aud) of this token includes the protocol (https://). It is exactly the same as the target_aud we requested from the authorisation server, and it has to be like that as the server will fail if the protocol is not provided. The Service-to-Service Authorisation doc also confirms that protocol should be included:
Replace TARGET_AUD with https://[SERVICE_NAME], where [SERVICE_NAME] is the value of the host entry in the API configuration file, for example, YOUR-SERVER-PROJECT-ID.appspot.com
However, on the endpoint side EspAuthenticator fails to accept the request:
com.google.api.server.spi.auth.EspAuthenticator authenticate
WARNING: Authentication failed: com.google.api.auth.UnauthenticatedException: Audiences not allowed
Debugging the code that generates this error we can see that it is designed to accept the request if the token audience matches the service name. However, it does not accept it as the audience includes the protocol and service name does not.
We were able to proceed with the workaround of using @Api.audiences to whitelist https://[SERVICE_NAME], but it's not very convenient as we have to whitelist all service names used by different environments (eg. development, test and production). We would appreciate any feedback on whether it is an issue of the EspAuthenticator or our setup.
We are trying to use
EspAuthenticatorto secure our endpoint as described in the documentation. One of the clients is a Java server application running on GKE, and we adopted the Python code from Service-to-Service Authentication documentation page to use the GKE service account to sign a JWT assertion and send it to the accounts.google.com authorization server to get a Google ID token for further requests. Here is the decoded token payload:{ "iss": "accounts.google.com", "iat": 1482191821, "exp": 1482195421, "aud": "https://[SERVICE_NAME]", "sub": "118282247168390088452", "email_verified": true, "azp": "[SERVICE_ACCOUNT_EMAIL]", "email": "[SERVICE_ACCOUNT_EMAIL]" }Note that the audience (
aud) of this token includes the protocol (https://). It is exactly the same as thetarget_audwe requested from the authorisation server, and it has to be like that as the server will fail if the protocol is not provided. The Service-to-Service Authorisation doc also confirms that protocol should be included:However, on the endpoint side
EspAuthenticatorfails to accept the request:Debugging the code that generates this error we can see that it is designed to accept the request if the token audience matches the service name. However, it does not accept it as the audience includes the protocol and service name does not.
We were able to proceed with the workaround of using
@Api.audiencesto whitelisthttps://[SERVICE_NAME], but it's not very convenient as we have to whitelist all service names used by different environments (eg. development, test and production). We would appreciate any feedback on whether it is an issue of theEspAuthenticatoror our setup.