问题描述
Google Cloud Endpoints文档在可扩展服务代理配置文件中为自定义安全定义提供了此规范:
securityDefinitions:
your_custom_auth_id:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# The value below should be unique
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
# Optional. Replace YOUR-CLIENT-ID with your client ID
x-google-audiences: "YOUR-CLIENT-ID"
关于如何实现此功能的文档对于App Engine 灵活而言非常少.有没有人举过例子,或者可以证明这是可能的?特别是,authorizationUrl的接口是什么?我们是否可以放置授权服务的URL(该URL提供由可扩展服务代理验证的JWT令牌),以便如果令牌在AuthorizationURL中无效,则端点将重定向到该URL?
您是正确的. 'authorizationUrl'是 OpenAPI Swagger特定的注释指向登录表单的URL端点,客户端以检索实际的JWT(JSON Web令牌).
一旦客户端在登录后从您的App Engine应用程序中检索JWT,他们便可以使用它来授权对您的Cloud Endpoint API的请求.
您的Node.js App Engine应用程序将使用任何 JWT签名库来生成JWT ( auth0提供了自己的多种语言的).
要生成令牌,您将提供标准的"JWT"和哈希头,并添加您的特定User对象的JSON有效负载(因为此令牌对于该特定用户应该是唯一的),以及您的私钥/公钥. /p>
JWT库还应自动提供必需的 JWT声明生成它时,只需确保在"openapi.yaml" 作为"x-google-issuer"和"x-google-jwks_uri".
您可以遵循 JWT.io指南,以了解有关如何生成和使用JWT的更多信息.您还可以遵循特定的 App Engine灵活指南来对应用程序进行编码以处理JWT.
The Google Cloud Endpoints documentation provides this specification for a custom security definition in the Extensible Service Proxy configuration file:
securityDefinitions:
your_custom_auth_id:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# The value below should be unique
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
# Optional. Replace YOUR-CLIENT-ID with your client ID
x-google-audiences: "YOUR-CLIENT-ID"
The documentation on how to implement this is very sparse for App Engine Flexible. Does anyone have an example of how to set this up or can they attest that it's possible? In particular, what is the interface for authorizationUrl? Can we place the URL of our authorization service (that provides the JWT tokens being verified by the Extensible service proxy) so that the endpoint will redirect to it if the token is invalid in authorizationURL?
You are correct. 'authorizationUrl' is an OpenAPI Swagger specific annotation which points to the URL endpoint of your log in form that is used by the client to retrieve the actual JWT (JSON Web Token).
Once the client retrieves the JWT from your App Engine application after logging in, they can then use it to authorize their requests to your Cloud Endpoint APIs.
Your Node.js App Engine application would use any JWT signing library to generate the JWT (auth0 offers their own in many languages).
To generate the token, you would supply the standard 'JWT' and hashing headers, add in your specific User object JSON payload (as this token should be unique to this specific user), along with your secret/public key.
The JWT library should also automatically provide the required JWT claims while generating it, just ensure you supply the issuer used by the library and your secret/public key in your 'openapi.yaml' as 'x-google-issuer' and 'x-google-jwks_uri'.
You can follow the JWT.io guide to learn more about how to generate and use a JWT. You can also follow the specific App Engine Flexible guide to code your application to handle JWT.
这篇关于使用App Engine Flexible(Node.js)进行Google Cloud Endpoints自定义身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!