JWT 验证失败:BAD_FORMAT

JWT validation failed: BAD_FORMAT

我正在按照 article.

尝试在 Cloud Functions 上配置端点

已执行以下步骤:

1) 创建一个 Google Cloud Platform (GCP) 项目,并部署以下 Cloud Function。

export const TestPost = (async (request: any, response: any) => {
    response.send('Record created.');
});

使用以下命令

gcloud functions deploy TestPost --runtime nodejs10 --trigger-http --region=asia-east2

功能到这里都运行良好。

2) 使用以下命令将 ESP 容器部署到云 运行

gcloud config set run/region us-central1

gcloud beta run deploy CLOUD_RUN_SERVICE_NAME \
    --image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
    --allow-unauthenticated \
    --project=ESP_PROJECT_ID

ESP 容器也部署成功。

3) 创建一个描述 API 的 OpenAPI 文档,并配置到 Cloud Functions 的路由。

swagger: '2.0'
info:
    title: Cloud Endpoints + GCF
    description: Sample API on Cloud Endpoints with a Google Cloud Functions backend
    version: 1.0.0
host: HOST
schemes:
- https
produces:
    - application/json
paths:
    /Test:
      get:
        summary: Do something
        operationId: Test
        x-google-backend:
            address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/Test
        responses:
            '200':
                description: A successful response
                schema:
                    type: string

4) 使用以下命令部署 OpenAPI 文档 

gcloud endpoints services deploy swagger.yaml

5) 配置 ESP,以便它可以找到 Endpoints 服务的配置。

gcloud beta run configurations update \
   --service CLOUD_RUN_SERVICE_NAME  \
   --set-env-vars ENDPOINTS_SERVICE_NAME=YOUR_SERVICE_NAME \
   --project ESP_PROJECT_ID

gcloud alpha functions add-iam-policy-binding FUNCTION_NAME \
    --member "serviceAccount:ESP_PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
    --role "roles/iam.cloudfunctions.invoker" \
    --project FUNCTIONS_PROJECT_ID

成功完成

6) 正在向 API

发送请求

工作得很好。

现在我想实施身份验证,因此我对 OpenAPI 文档进行了以下更改 

swagger: '2.0'
info:
    title: Cloud Endpoints + GCF
    description: Sample API on Cloud Endpoints with a Google Cloud Functions backend
    version: 1.0.0
host: HOST
schemes:
- https
produces:
    - application/json
security:
    - client-App-1: [read, write]
paths:
    /Test:
      get:
        summary: Do something
        operationId: Test
        x-google-backend:
            address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/Test
        responses:
            '200':
                description: A successful response
                schema:
                    type: string
securityDefinitions:
    client-App-1:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        scopes:
            read: Grants read access
            write: Grants write access
        x-google-issuer: SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com
        x-google-jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com

我使用以下命令创建了一个服务帐户。

gcloud iam service-accounts create SERVICE_ACCOUNT_NAME --display-name DISPLAY_NAME

使用以下方式向服务帐户授予令牌创建者角色

gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SERVICE_ACCOUNT_EMAIL --role roles/iam.serviceAccountTokenCreator

重新部署 OpenAPI 文档

gcloud endpoints services deploy swagger.yaml

现在当我测试 API 时出现以下错误

{
    "code": 16,
    "message": "JWT validation failed: BAD_FORMAT",
    "details": [
        {
            "@type": "type.googleapis.com/google.rpc.DebugInfo",
            "stackEntries": [],
            "detail": "auth"
        }
    ] }

我正在使用 BearerToken 将通过 gcloud 生成的访问令牌传递到请求中

用于生成访问令牌的命令是 gcloud auth application-default print-access-token

谁能指出这里的问题所在。谢谢...

编辑#1: 我正在使用 Postman 连接到我的 API 的

使用以下命令后,出现了不同的错误。

命令:

gcloud auth print-identity-token SERVICE_ACCOUNT_EMAIL

错误:

{
    "code": 16,
    "message": "JWT validation failed: Issuer not allowed",
    "details": [
        {
            "@type": "type.googleapis.com/google.rpc.DebugInfo",
            "stackEntries": [],
            "detail": "auth"
        }
    ]
}

对于 ESP,您应该使用 jwt-token 或身份令牌。不是访问令牌。请查看 this

最后我经理解决了这个问题。

有两处错误。

1) raw JWT token 的格式,应该如下

{
    "iss": SERVICE_ACCOUNT_EMAIL,
    "iat": 1560497345,
    "aud": ANYTHING_WHICH_IS_SAME_AS_IN_OPENAPI_YAML_FILE,
    "exp": 1560500945,
    "sub": SERVICE_ACCOUNT_EMAIL
}

然后我们需要使用以下命令生成签名的 JWT 令牌

gcloud beta iam service-accounts sign-jwt --iam-account SERVICE_ACCOUNT_EMAIL raw-jwt.json signed-jwt.json

2) YAML 文件中的安全定义应该如下所示

securityDefinitions:
  client-App-1:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    scopes:
      read: Grants read access
      write: Grants write access
    x-google-issuer: SERVICE_ACCOUNT_EMAIL 
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
    x-google-audiences: ANYTHING_BUT_SAME_AS_IN_RAW_JWT_TOKEN