如何在openapi yml文件中添加服务帐户安全性定义 [英] how to add a service account security definition in openapi yml file

问题描述

我想向API添加安全性定义以在Google云调度程序中运行它(使用OIDC令牌和服务帐户).我的openapi.yml看起来像这样

I want to add a security definition to an API to run it in the google cloud scheduler (using OIDC token, and a service account).My openapi.yml looks like this

"/common/test":
    post:
      description: "test"
      operationId: "test"
      responses:
        200:
          description: "Success"
        400:
          description: "Fail"
      security:
        - service_account: []  

securityDefinitions:
      service_account:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "xx@example.iam.gserviceaccount.com"
        x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/xx@example.iam.gserviceaccount.com"

，但是当我通过云调度程序(使用OIDC令牌和服务帐户(xx@example.iam.gserviceaccount.com))调用此API时，它失败了.日志视图显示未经授权的401.如何解决此错误.

but it fails when I called this API via cloud scheduler(using OIDC token, and a service account(xx@example.iam.gserviceaccount.com)). log view says unauthorized 401. How can I fix this error.

{httpRequest: {status: 401} insertId: "1r9kx9lf2jy71o" jsonPayload: { @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished" jobName: "projects/project-xxx/locations/us-central1/jobs/test" status: "UNAUTHENTICATED" targetType: "HTTP" url: "https://project-xxx.appspot.com/common/test/"} logName: "projects/project-xxx/logs/cloudscheduler.googleapis.com%2Fexecutions" receiveTimestamp: "2020-01-06T06:30:01.000238320Z" resource: { labels: {…} type: "cloud_scheduler_job" }severity: "ERROR" timestamp: "2020-01-06T06:30:01.000238320Z"}

来自Cloud Scheduler的

推荐答案

OIDC(openConnectId)令牌与Oauth2授权不兼容. OpenAPI v3添加了对OIDC令牌的支持.

OIDC (openConnectId) tokens, from Cloud Scheduler, are not compatible with Oauth2 authorization. OpenAPI v3 has added support for OIDC tokens.

这篇关于如何在openapi yml文件中添加服务帐户安全性定义的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！