应用类型用户向GCP进行身份验证 [英] Application type users authenticating to GCP

问题描述

我正在为服务类型的用户寻找一种标准的Oauth2.0方法，该服务类型的用户使用机密向GCP环境中托管的API进行身份验证.我得到的最接近的是带有密钥对的 service accounts

I'm looking for a standard Oauth2.0 approach for the service type users authenticating to APIs hosted in GCP environment with secrets. The closest I got is a service accounts with key pairs.

但是，我想避免每次添加新的service account时都更新ESP配置(如下面的示例所示).

However I would like to avoid updating ESP config each time a new service account is added (like in the example below).

 securityDefinitions:
  service-1:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "service-1@example-project-12345.iam.gserviceaccount.com"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/service-1@example-project-12345.iam.gserviceaccount.com"
  service-2:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "service-2@example-project-12345.iam.gserviceaccount.com"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/service-2@example-project-12345.iam.gserviceaccount.com"

    #should be possible to leave the addition of service-X to the end client without needing to update this.

编辑:我尝试使用Identity Platform和ESP配置在添加新用户时不需要更新:

I've tried using Identity Platform and ESP config won't need updating when new users are added:

securityDefinitions:
    auth0:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "https://securetoken.google.com/{google-project-ID}"
        x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
        x-google-audiences: "{google-project-ID}"

但是我的情况下不能使用电子邮件/密码，并且GCP Identity Platform似乎不支持带有机密信息的用户，除非我遗漏了某些东西?

however email/password is not an option for my case and GCP Identity Platform doesn't seem to support users with secrets, unless I'm missing something?

也可以对用户添加自定义声明，这将消除维护API代码中权限表的需要.

It would also be good to have a possibility to add custom claims against users, which would remove a need to maintain the permissions table within the API code.

Apigee具有所有必需的功能，但是对于我的项目需求而言，这似乎是一个昂贵的过度复杂化.

Apigee has all the required functionality however seems to be an expensive over-complication for my project needs.

推荐答案

Identity-Aware Proxy 提供我的用例的功能. 添加服务帐户时，只需设置IAP-secured Web App User，它将可以访问受保护的资源. 此处的Google文档

The Identity-Aware Proxy provides the functionality for my use-case. When adding the service account just set the IAP-secured Web App User and it will have access to a secured resource. google doc here

这篇关于应用类型用户向GCP进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！