问题描述
我正在使用Cloud functions with ESPV2和Firebase authentication and API Management构建经过身份验证的Cloud函数。身份验证后从Firebase获得JWT令牌后,我尝试将curl
中的令牌与Authorization
链接为Bearer
。在邮递员中尝试时遇到“ JWT验证失败”的提示。从客户端应用程序尝试时出现“错误请求”。除了链接中提到的设置之外,我在发出请求之前是否还需要做其他事情?
根据要求更新更多详细信息
swagger: "2.0"
info:
title: My API Endpoints
description: My API Endpoints
version: 1.0.0
host: myapi-abcdefg.a.run.app
schemes:
- https
produces:
- application/json
securityDeFinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/fan-demand"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/Metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "my-google-project-id"
paths:
/getevents:
get:
summary: Get Events
operationId: getevents
x-google-backend:
address: https://us-central1-my-google-project-id.cloudfunctions.net/getevents
protocol: h2
security:
- firebase: []
responses:
"200":
description: A successful response
schema:
type: string
"403":
description: Failed to authenticate
部署此服务后,我使用Firebase
Dart SDK中的getIdToken()
方法从Firebase
获取了ID令牌。 JWT令牌采用Header.payload.tail格式。然后,将令牌与Authorization
和id令牌一起添加到Bearer
标题中,并得到以下响应。
更新: 我使用https://cloud.google.com/api-gateway/docs/authenticating-users-firebase而不是ESP尝试了新的API Gateway产品。
我的配置:
swagger: "2.0"
info:
title: My API Endpoints
description: My API Endpoints
version: 1.0.0
schemes:
- https
produces:
- application/json
securityDeFinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/my-project"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/Metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "my-project"
paths:
/getevents:
get:
summary: Get Events
operationId: getevents
x-google-backend:
address: https://us-central1-my-project.cloudfunctions.net/getevents
security:
- firebase: []
responses:
"200":
description: A successful response
schema:
type: string
"403":
description: Failed to authenticate
客户端代码:
客户端是用dart开发的,user
是https://pub.dev/documentation/firebase_auth/latest/firebase_auth/User/getIdToken.html的firebase auth对象
user.getIdToken().then((token) async {
final response = await http.get(
Uri.parse(
'https://mygateway/getevents'),headers: {
'Content-Type': 'application/json','Accept': 'application/json','Authorization': 'Bearer $token',});
print('Token : ${token}');
print(response.body);
});
我得到了答复
解决方法
没有ESP
云功能需要公开(使用allUsers
部署)才能使用Firebase身份验证。
注意:
Unlike Google Sign-in above,your function is doing the authentication;
therefore,you will be billed for unauthenticated requests since the function must do work to validate the token.
Link to relevant documentation
使用ESP
如果要在其ESPv2前面使用云功能,则需要为ESP创建一个特定的IAM,以能够私密触发云功能。
To provide API management for Cloud Functions,you deploy the prebuilt ESPv2 container to Cloud Run.
You then secure your functions by using Cloud Functions IAM so that ESPv2 can invoke them.