使用承载令牌访问Google Cloud IAP保护的资源会给出错误代码13 [英] Accessing Google Cloud IAP protected resource with bearer token gives error code 13

问题描述

我正在尝试从我的iOS应用访问受Google Cloud IAP保护的资源.

I am trying to access a resource protected by Google Cloud IAP from my iOS app.

我能够从该应用登录到我的Google帐户并收到一个ID令牌，但是在我想要的资源的Authorization标头中将ID令牌设置为Bearer令牌时，我收到以下HTTP错误代码401的以下响应:请求.

I am able to login to my Google account from the app and receive an ID token, but I receive the following response with HTTP error code 401 when setting the ID token as Bearer token in the Authorization header for the resource I would like to request.

您的请求有问题.错误代码13"

"There was a problem with your request. Error code 13"

我尝试通过Postman发送请求，但这也导致了相同的错误.

I tried to send the request with Postman, but this also resulted with the same error.

我使用以下代码从下载的certificate.plist文件中设置客户端ID.

I use the following code for setting the client ID from the downloaded credentials.plist file.

if let path = Bundle.main.path(forResource: "credentials", ofType: "plist") {
   let nsDictionary = NSDictionary(contentsOfFile: path)
   let clientId = nsDictionary!["CLIENT_ID"] as? String

   GIDSignIn.sharedInstance().clientID = clientId
   GIDSignIn.sharedInstance().delegate = self
   GIDSignIn.sharedInstance().uiDelegate = self;
}

然后我登录Google.

Afterwards I sign into Google.

if GIDSignIn.sharedInstance().hasAuthInKeychain() {
   GIDSignIn.sharedInstance().signInSilently()
} else {
   GIDSignIn.sharedInstance().signIn()
}

登录后，我获取idToken并将其发送到受Google Cloud IAP保护的资源中.

After login, I take the idToken and send it to the resource protected by Google Cloud IAP.

func sign(_ signIn: GIDSignIn!, didSignInFor user: GIDGoogleUser!, withError error: Error!) {
   let token = user.authentication.idToken

   var request = URLRequest(url: URL(string: url)!)

   request.httpMethod = httpMethod
   request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")

   URLSession.shared.dataTask(with: request, completionHandler: { data, response, error -> Void in
    }).resume()
}

我希望获得成功的响应，但是目前我收到HTTP错误代码401以及前面提到的错误消息.

I would expect a successful response, but currently I receive HTTP error code 401 together with the previously mentioned error message.

推荐答案

更新:从7月11日开始，IAP用户现在应该在遇到问题时得到比错误代码13"更具描述性的错误.带有令牌.

Update: As of July 11th, IAP users should now get a more descriptive error than "Error code 13" when there are problems with the token.

一些例子:

$ curl -H 'Authorization: bearer schmearer' $IAP_URL
Invalid IAP credentials: Expected JWT to have 3 parts separated by a '.' but there are 1 parts
$ curl -H 'Authorization: bearer a.b.c' $IAP_URL
Invalid IAP credentials: Base64 decode failed on token: a.b.c
> ^C
msachs@msachs-ubi:~$ curl -H 'Authorization: bearer [real token]' $IAP_URL
Invalid IAP credentials: JWT signature is invalid
msachs@msachs-ubi:~$ curl -H 'Authorization: bearer [real token]' $IAP_URL
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (5939454960-[...]) doesn't match expected value (1042451928015-[...]))

错误代码13"表示IAP不喜欢您的令牌.在这种情况下，我认为问题在于您需要设置 serverClientId属性到您的IAP应用程序使用的客户端ID.您可以通过转到 IAP控制台来找到此文件，找到要连接的资源，然后从该资源表行的溢出菜单中选择编辑OAuth客户端".

"Error code 13" means that IAP doesn't like something about your token. In this case, I think the issue is that you need to set the serverClientId property to the client ID used by your IAP app. You can find this by going to the IAP console, finding the resource you're connecting to, and selecting "Edit OAuth Client" from the overflow menu in that resource's table row.

我们的文档似乎缺少该步骤，我是将得到照顾. (感谢您举报！)

Our documentation seems to be missing that step, I'll get that taken care of. (Thanks for flagging that!)

这篇关于使用承载令牌访问Google Cloud IAP保护的资源会给出错误代码13的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！