如何使用Google Cloud Endpoints设置自定义用户身份验证 [英] How to set up custom user authentication with Google Cloud Endpoints

问题描述

我正在尝试了解如何将Cloud Endpoints与自定义身份验证一起使用.从文档中，我了解到它是从 securityDefinitions :

I am trying to understand how to use Cloud Endpoints with custom authentication. From the docs I understand that it starts from the securityDefinitions:

securityDefinitions:
    your_custom_auth_id:
      authorizationUrl: ""
      flow: "implicit"
      type: "oauth2"
      # The value below should be unique
      x-google-issuer: "issuer of the token"
      x-google-jwks_uri: "url to the public key"
      # Optional. Replace YOUR-CLIENT-ID with your client ID
      x-google-audiences: "YOUR-CLIENT-ID"

这就是我对流程的理解:

This is how I understand the flow:

1. API使用者发送标头中带有JWT令牌的请求
2. ESP使用 authorizationUrl
验证此令牌
3. 请求已转发或ESP返回错误.

我的问题:

• 以上流程正确吗?

• 应如何实现 authorizationUrl .请求的外观，成功或失败时应返回什么响应

• Is the flow above correct?

• How should the authorizationUrl be implemented. How does the request look, what response should be return in case of success or failure

该值如何?x-google-issuer:令牌的发布者"x-google-jwks_uri:公开密钥的网址"x-google-audiences:您的客户ID"

What about this values? x-google-issuer: "issuer of the token" x-google-jwks_uri: "url to the public key" x-google-audiences: "YOUR-CLIENT-ID"

推荐答案

为端点配置自定义身份验证

要配置端点的自定义身份验证(并根据OpenAPI v2规范)，您需要两部分:

Configuring Custom Authentication for Endpoints

To configure custom authentication for Endpoints (and according to the OpenAPI v2 spec), you need two pieces:

1. 在规范的 securityDefinitions 部分中定义您的自定义身份验证方案
2. 将您的自定义身份验证方案(在#1中定义)应用于整个api 或 security 字段进行nofollow noreferrer>特定操作.

1. Define your custom authentication scheme in the securityDefinitions section of the spec
2. Apply your custom authentication scheme (defined in #1) to the entire api or to specific operations using the security field.

此处描述了Google Cloud Endpoints文档.

The Google Cloud Endpoints docs describe this here.

OpenAPI规范的SecurityDefinitions部分中的某些字段用于API生产者，而某些字段用于API使用者.

Some fields in the SecurityDefinitions section of the OpenAPI spec are for the API producer, and some are for the API consumer.

以下字段用于 API生产者，并告诉端点如何验证API请求随附的访问令牌:

The following fields are for the API producer and tell Endpoints how to validate the access tokens that accompany API requests:

• 类型:"oauth2"
• x-google-issuer:令牌的发布者"
• x-google-jwks_uri:公开密钥的网址"
• x-google-audiences:您的客户ID"

这些字段由API生产者指定，并告诉消费者如何获取有效的访问令牌:

These fields are specified by the API producer and tell the consumer how to get a valid access token:

• authorizationUrl
• 流量

1. 正确.这是有关消费者应如何随请求发送访问令牌的文档
2. ESP使用规范的 x-google-jwks_uri 属性中指定的公钥来验证访问令牌，并确保令牌的发行者与securityDefinition的 x中指定的发行者相匹配.-google-issuer 字段.
3. 正确.

1. Correct. Here is documentation on how the consumer should send the access token with the request
2. ESP validates the access token using the public keys specified in the x-google-jwks_uri property of the spec and ensures that the issuer of the token matches the issuer specified in the securityDefinition's x-google-issuer field.
3. Correct.

关于您的问题， authorizationUrl 应该由您使用的OAuth2提供程序设置.该网址应允许使用者执行隐式OAuth2流以获取访问令牌.您需要做的就是指定

Regarding your questions, the authorizationUrl should be set up by the OAuth2 provider you are using. That url should allow the consumer to execute the implicit OAuth2 flow to get an access token. All you need to do is specify this

这篇关于如何使用Google Cloud Endpoints设置自定义用户身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！