python-docs-samples icon indicating copy to clipboard operation
python-docs-samples copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

`google.api.Service` config seems to require an audience to avoid JWT validation errors

Open thomasmburke opened this issue 4 years ago • 5 comments

In which file did you encounter the issue?

Did you change the file? If so, how?

Yes, in the following section of the files:

#
# Request authentication.
#
authentication:
  providers:
  - id: google_service_account
    # Replace SERVICE-ACCOUNT-ID with your service account's email address.
    issuer: SERVICE-ACCOUNT-ID
    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE-ACCOUNT-ID
  rules:
  # This auth rule will apply to all methods.
  - selector: "*"
    requirements:
      - provider_id: google_service_account

I added an audience field to the config:

#
# Request authentication.
#
authentication:
  providers:
  - id: google_service_account
    # Replace SERVICE-ACCOUNT-ID with your service account's email address.
    issuer: SERVICE-ACCOUNT-ID
    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE-ACCOUNT-ID
    audiences: DEFAULT_HOSTNAME
  rules:
  # This auth rule will apply to all methods.
  - selector: "*"
    requirements:
      - provider_id: google_service_account

Describe the issue

When using current api_config_auth.yaml for service-account JWT authentication I continued to get "{"message":"Audiences in Jwt are not allowed","code":403}". This error was present regardless of whether the JWT I passed had an audience. I used jwt_token_gen.py to generate the JWTs to pass when reaching out to the api python3 bookstore_client.py --auth_token JWT_TOKEN --host= DEFAULT_HOSTNAME --port 443 --use_tls true.

To generate a JWT without an audience field I commented out the 'aud' portion of the payload in jwt_token_gen.py . I tried without an audience and with the service name as an audience and each test provided the same error message. I inspected each JWT in jwt.io to ensure that each JWT claim was how I expected.

Overall, I suspect the google.api.Service spec has a different behavior for expected audiences than the OpenAPI spec (which doesn't required audience). Adding audience to the config resolved the issue and allowed me to hit the API with service-account JWT authentication enabled. Willing to create a PR to incorporate audiences: DEFAULT_HOSTNAME if approved 👍

thomasmburke avatar Jun 02 '21 23:06 thomasmburke

@dandhlee does bookstore fall under your purview w/ onramp? If not, feel free to reassign

leahecole avatar Aug 16 '21 20:08 leahecole

Bookstore does but not auth :S

@arithmetic1728 Could you help take a look at this?

dandhlee avatar Aug 16 '21 20:08 dandhlee

@arithmetic1728 friendly ping c:

dandhlee avatar Feb 19 '22 23:02 dandhlee

@dandhlee Sorry for the late reply. I have no knowledge on the server side config. I only work on client side auth.

arithmetic1728 avatar Feb 22 '22 04:02 arithmetic1728

Thanks for the update! Let me take a look...

dandhlee avatar Feb 22 '22 13:02 dandhlee