问题
I'm trying to implement service-to-service authentication to Google Cloud Endpoints API using Google Service account, but get the following error.
Cannot decode and verify the auth token. The backend will not be able to retrieve user info (.../lib/endpoints_management/control/wsgi.py:596)
Traceback (most recent call last):
File ".../lib/endpoints_management/control/wsgi.py", line 593, in __call__
service_name)
File ".../lib/endpoints_management/auth/tokens.py", line 81, in authenticate
error)
UnauthenticatedException: (u'Cannot decode the auth token', UnicodeDecodeError('ascii', '\xc9\xad\xbd', 0, 1, 'ordinal not in range(128)'))
Value of auth_token variable passed to self.get_jwt_claims(auth_token) is :
ya29.ElmlBB1mwIfrsnURUIQg0Nv6v5UPzFR02miD4w_VywMSlWGDstpmmc5vPsmUqt5rCcho797B1HeEOgT0UBQiVfv9dlsfxSMLRf67SGwX0ceK5uTujj4_tSUXog
Looks like endpoints library is trying to decode auth_token as jwt, but auth_token is not jwt. But maybe I'm wrong. Same problem occurs when I'm trying to test API using API Explorer. This happens with the latest endpoints and also with older version.
Here is my API class:
@endpoints.api(
name='myapi',
version='v1',
api_key_required=True,
auth_level=endpoints.AUTH_LEVEL.REQUIRED,
scopes=(
endpoints.EMAIL_SCOPE,
),
)
class MyApi(remote.Service):
...
And this is how i I'm accessing the API:
credentials = ServiceAccountCredentials.from_json_keyfile_dict(
json.loads(json_keyfile_data),
scopes='https://www.googleapis.com/auth/userinfo.email',
)
service = build(
name, version,
http=credentials.authorize(Http()),
discoveryServiceUrl=discovery_url)
...
Am I doing something from or is there a bug in Python endpoints library?
回答1:
Google Cloud Endpoints expects JWT id_token, that's the reason why self.get_jwt_claims(auth_token) fails. Here is in-depth explanation of service-to-service authentication: https://cloud.google.com/endpoints/docs/service-to-service-auth.
来源:https://stackoverflow.com/questions/45647661/how-to-do-authentication-check-in-python-library-from-google-cloud-endpoints-on