Ajax对需要身份验证的云运行服务的请求 [英] Ajax request to cloud run service that requires authentication

问题描述

我在与某项服务相关的Google Cloud上运行CORS相关问题
需要验证.

I'm having a CORS related issue with google cloud run on a service that
requires authentication.

如果我尝试通过带有Bearer令牌的cli执行curl命令，
一切正常. 不幸的是，如果我尝试通过javascript中的ajax执行相同的调用，
我收到403.

If I try to execute a curl command through the cli, with a Bearer token,
everything works fine. Unfortunately if I try to execute the same call through ajax in javascript,
I receive a 403.

  const http = new XMLHttpRequest();
  const url = 'https://my-app.run.app';

  http.open("GET", url);
  http.withCredentials = true;
  http.setRequestHeader("authorization", 'Bearer ' + id_token);
  http.send();
  http.onreadystatechange = (e) => {
    console.log(http.responseText)
  }

云运行日志中的错误是:

The error in the cloud run logs is this :

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating

容器永远不会被击中.

我看到的问题是，当我使用ajax在网络中拨打电话时，
浏览器.网络浏览器正在发出飞行前请求(
上的OPTIONS url)而不发送Authorization标头(这是预期的
行为)

The issue I'm seeing is that, as I'm making the call using ajax, in a web
browser. The web browser is making a pre flight request ( OPTIONS on the
url ) without sending the Authorization header ( which is an expected
behavior )

问题似乎是云运行尝试对OPTIONS进行身份验证
请求并且永远不会将其放入我的容器中，据我了解，
不应该做. (
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

The problem seems to be that cloud run tries to authenticate the OPTIONS
request and never makes it to my container, which, as far as I understand,
shouldn't be done. (
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

云的已知问题正在运行吗?

Is that a known issue with cloud run ?

我如何向经过身份验证的云运行服务发出ajax请求?

How could I make an ajax request to an authenticated cloud run service ?

推荐答案

(云运行PM)

这是一个已知问题.有几种选择:

This is a known issue. There are a few options:

1. 允许未经身份验证的请求并自行进行CORS/身份验证

1. Allow unauthenticated requests and do CORS/auth yourself

1. 此版本有一个变体，它使用运行在其中的Cloud Endpoints在您的计算机前运行.让端点对您的最终用户进行身份验证，然后将请求转发到您的后端.

1. There is a variation of this that uses Cloud Endpoints running on Cloud Run in front of your compute. Have Endpoints do your end-user auth, then forward the request to your backend.

从同一域提供服务(例如，使用 Firebase托管代理)

Serve from the same domain (e.g. use the Firebase Hosting proxy)

我们已经考虑实施 Istio CORSPolicy ，它将在auth检查之前返回CORS标头，尽管到目前为止我们还没有对此进行承诺.

We've considered implementing Istio CORSPolicy, which would return CORS headers before the auth check, though we're not committed to this as of now.

这篇关于Ajax对需要身份验证的云运行服务的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！