Google云端HTTP函数认证失败
Google Cloud HTTP function authentication fails
我想保护一些 Google 云平台 HTTP 功能。我一直在关注这里:
我已经成功地按照说明设置了它提到的调度程序作业,使用 Auth Header 的 Add OIDC token 选项,以及我为调用这些 HTTP 设置的服务帐户职能。从调度程序成功调用该函数。
(添加IAM Member的过程略有不同,我按照these instructions)
我能够通过测试功能从 GCP 中成功调用该函数,并且从调度程序中成功调用该函数。调用函数 w/o 任何身份验证都会导致此消息,因此我相当确定身份验证设置正确:
Error: Forbidden
Your client does not have permission to get URL /myAuthenticatdeFunction from this server.
现在我已经编写了一个 c# 应用程序,它检索 OIDC 令牌并根据说明发出 http 请求 here。
public async Task<HttpResponseMessage> InvokeRequestAsync(
string iapClientId, string uri, CancellationToken cancellationToken = default)
{
// Get the OidcToken.
// You only need to do this once in your application
// as long as you can keep a reference to the returned OidcToken.
OidcToken oidcToken = await GetOidcTokenAsync(iapClientId, cancellationToken);
// Before making an HTTP request, always obtain the string token from the OIDC token,
// the OIDC token will refresh the string token if it expires.
string token = await oidcToken.GetAccessTokenAsync(cancellationToken);
// Include the OIDC token in an Authorization: Bearer header to
// IAP-secured resource
// Note: Normally you would use an HttpClientFactory to build the httpClient.
// For simplicity we are building the HttpClient directly.
using HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
return await httpClient.GetAsync(uri, cancellationToken);
}
/// <summary>
/// Obtains an OIDC token for authentication an IAP request.
/// </summary>
/// <param name="iapClientId">The client ID observed on
/// https://console.cloud.google.com/apis/credentials. </param>
/// <param name="cancellationToken">The token to propagate operation cancel notifications.</param>
/// <returns>The HTTP response message.</returns>
public async Task<OidcToken> GetOidcTokenAsync(string iapClientId, CancellationToken cancellationToken)
{
// Obtain the application default credentials.
//GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync(cancellationToken);
string filepath = @"<path to json file for service account>";
GoogleCredential credential = await GoogleCredential.FromFileAsync(filepath, cancellationToken);
// Request an OIDC token for the Cloud IAP-secured client ID.
return await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(iapClientId), cancellationToken);
}
当我 运行 那,这就是我得到的:
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/myAuthenticatdeFunction</code>.</h2>
<h2></h2>
</body></html>
我错过了什么?为什么不验证?
在您的代码中,您使用仅适用于受 IAP 保护的 App Engine 的 IapClientId。如果您使用 IAM 保护的 Cloud Functions(同样适用于 IAM 保护的 Cloud 运行),您需要使用服务的基础 URL 作为受众价值
https://<region>.<projectID>.cloudfunctions.net/<functionname>
我想保护一些 Google 云平台 HTTP 功能。我一直在关注这里:
我已经成功地按照说明设置了它提到的调度程序作业,使用 Auth Header 的 Add OIDC token 选项,以及我为调用这些 HTTP 设置的服务帐户职能。从调度程序成功调用该函数。
(添加IAM Member的过程略有不同,我按照these instructions)
我能够通过测试功能从 GCP 中成功调用该函数,并且从调度程序中成功调用该函数。调用函数 w/o 任何身份验证都会导致此消息,因此我相当确定身份验证设置正确:
Error: Forbidden Your client does not have permission to get URL /myAuthenticatdeFunction from this server.
现在我已经编写了一个 c# 应用程序,它检索 OIDC 令牌并根据说明发出 http 请求 here。
public async Task<HttpResponseMessage> InvokeRequestAsync(
string iapClientId, string uri, CancellationToken cancellationToken = default)
{
// Get the OidcToken.
// You only need to do this once in your application
// as long as you can keep a reference to the returned OidcToken.
OidcToken oidcToken = await GetOidcTokenAsync(iapClientId, cancellationToken);
// Before making an HTTP request, always obtain the string token from the OIDC token,
// the OIDC token will refresh the string token if it expires.
string token = await oidcToken.GetAccessTokenAsync(cancellationToken);
// Include the OIDC token in an Authorization: Bearer header to
// IAP-secured resource
// Note: Normally you would use an HttpClientFactory to build the httpClient.
// For simplicity we are building the HttpClient directly.
using HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
return await httpClient.GetAsync(uri, cancellationToken);
}
/// <summary>
/// Obtains an OIDC token for authentication an IAP request.
/// </summary>
/// <param name="iapClientId">The client ID observed on
/// https://console.cloud.google.com/apis/credentials. </param>
/// <param name="cancellationToken">The token to propagate operation cancel notifications.</param>
/// <returns>The HTTP response message.</returns>
public async Task<OidcToken> GetOidcTokenAsync(string iapClientId, CancellationToken cancellationToken)
{
// Obtain the application default credentials.
//GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync(cancellationToken);
string filepath = @"<path to json file for service account>";
GoogleCredential credential = await GoogleCredential.FromFileAsync(filepath, cancellationToken);
// Request an OIDC token for the Cloud IAP-secured client ID.
return await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(iapClientId), cancellationToken);
}
当我 运行 那,这就是我得到的:
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/myAuthenticatdeFunction</code>.</h2>
<h2></h2>
</body></html>
我错过了什么?为什么不验证?
在您的代码中,您使用仅适用于受 IAP 保护的 App Engine 的 IapClientId。如果您使用 IAM 保护的 Cloud Functions(同样适用于 IAM 保护的 Cloud 运行),您需要使用服务的基础 URL 作为受众价值
https://<region>.<projectID>.cloudfunctions.net/<functionname>