验证来自Google Cloud Scheduler的HTTP请求 [英] Verify HTTP request from Google Cloud Scheduler

问题描述

从Google Cloud Scheduler验证HTTP请求的过程是什么？ docs（ https://cloud.google.com/scheduler/docs/creating ）提到您可以使用任何公共HTTP终结点的目标来创建作业，但不要提及服务器如何验证cron / scheduler请求。

What's the process for verifying the HTTP request from Google Cloud scheduler? The docs (https://cloud.google.com/scheduler/docs/creating) mention you can create a job with a target of any publicly available HTTP endpoint but do not mention how the server verifies the cron/scheduler request.

推荐答案

[2019年5月28日更新]

Google Cloud Scheduler现在具有两个命令行选项：

Google Cloud Scheduler now has two command line options:

--oidc-service-account-email=<service_account_email>
--oidc-token-audience=<service_endpoint_being_called>

这些选项为Cloud Scheduler发出的请求添加了额外的标头：

These options add an additional header to the request that Cloud Scheduler makes:

 Authorization: Bearer ID_TOKEN

您可以在端点代码中处理ID_TOKEN，以验证谁在调用端点。

You can process the ID_TOKEN inside your endpoint code to verify who is calling your endpoint.

例如，您可以发出HTTP请求以解码ID令牌：

For example, you can make an HTTP request to decode the ID Token:

https://oauth2.googleapis.com/tokeninfo?id_token=ID_TOKEN

这将返回JSON，如下所示：

This will return JSON like this:

{
  "aud": "https://cloudtask-abcdefabcdef-uc.a.run.app",
  "azp": "0123456789077420983142",
  "email": "cloudtask@development.iam.gserviceaccount.com",
  "email_verified": "true",
  "exp": "1559029789",
  "iat": "1559026189",
  "iss": "https://accounts.google.com",
  "sub": "012345678901234567892",
  "alg": "RS256",
  "kid": "0123456789012345678901234567890123456789c3",
  "typ": "JWT"
}

然后您可以检查服务帐户电子邮件是否匹配

Then you can check that the service account email matches the one that you authorized Cloud Scheduler to use and that the token has not expired.

[End Update]

您需要亲自验证请求。

Google Cloud Scheduler包含多个Google特定的标头，例如 User-代理商：Google-Cloud-Scheduler 。请参阅下面的文档链接。

Google Cloud Scheduler includes several Google specific headers such as User-Agent: Google-Cloud-Scheduler. Refer to the documentation link below.

但是，任何人都可以伪造HTTP标头。您需要创建一个自定义内容，您将其包含为HTTP标头或知道如何验证的HTTP正文中的内容。使用签名的JWT是安全且易于创建和验证的。

However, anyone can forge HTTP headers. You need to create a custom something that you include as an HTTP Header or in the HTTP body that you know how to verify. Using a signed JWT would be secure and easy to create and verify.

创建Google Cloud Scheduler作业时，您可以控制标头和 body 字段。您可以将自定义东西嵌入其中一个。

When you create a Google Cloud Scheduler Job you have some control over the headers and body fields. You can embed your custom something in either one.

计划任务

[更新]

以下是使用gcloud的示例（Windows命令行），以便您可以设置HTTP标头和正文。此示例在每个触发器上调用云函数，以显示如何包括APIKEY。 Google控制台尚不具备该级别的支持。

Here is an example (Windows command line) using gcloud so that you can set HTTP headers and the body. This example calls Cloud Functions on each trigger showing how to include an APIKEY. The Google Console does not have this level of support yet.

gcloud beta scheduler ^
--project production ^
jobs create http myfunction ^
--time-zone "America/Los_Angeles" ^
--schedule="0 0 * * 0" ^
--uri="https://us-central1-production.cloudfunctions.net/myfunction" ^
--description="Job Description" ^
--headers="{ \"Authorization\": \"APIKEY=AUTHKEY\", \"Content-Type\": \"application/json\" }" ^
--http-method="POST" ^
--message-body="{\"to\":\"/topics/allDevices\",\"priority\":\"low\",\"data\":{\"success\":\"ok\"}}"

这篇关于验证来自Google Cloud Scheduler的HTTP请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！