带有PKCE的Google Cloud Run OAuth2身份验证 [英] Google Cloud Run OAuth2 Authentication with PKCE
问题描述
我需要使用PKCE在Cloud Run中对服务帐户(具有容器调用角色)进行身份验证. 基本上,我的iOS应用发送HTTPS请求来调用某些Cloud Run Container(使用Django Rest Framework).
I need to authenticate a service account (with container invoke role) in Cloud Run with PKCE. Basically my iOS app sends HTTPS requests to invoke certain Cloud Run Container (with Django Rest Framework).
我发现了这个示例(该代码可对通过自签名JWT交换的Cloud Run端点).这正是我所需要的,但是我想添加PKCE.我对将code_verifier和code_challenge发送到哪里感到困惑?如果我在容器中进行验证,该链接如何链接到Cloud Run授权.
I found this example (which authenticates to the Cloud Run endpoint via self-signed JWT in exchange for token). This is exactly what I need, but I want to add PKCE. I'm confused as to where do I send code_verifier and code_challenge? If I do the verification in my container, how would that link to Cloud Run authorization.
推荐答案
(不好的)解决方案是生成服务帐户密钥文件并将其嵌入到您的iOS应用中;但是,正如John所提到的那样,如果这样做,您将失去对密钥的控制,因为您的手机不安全.不要这样做,而是要公开您的服务!
The (bad) solution is to generate a service account key file and to embed it in your iOS app; But, as mentioned by John, if you do this, you lost the control of your key because your mobile isn't safe. Instead of doing this, make your service public!!
一个好的模式是不要让您的用户直接调用您的私有和安全服务,而是要有一个公共网关来执行用户安全检查.因此,您将使用用户的OAuth流在后端上对其进行身份验证,并且该后端将能够使用正确的服务帐户来调用您的服务.
The good pattern is to not let your user directly call your private and secure service, but to have a public gateway that perform the user security check. Thereby, you will use the OAuth flow of your user to authenticate it on a backend, and this backend will be able to call your service, with the right service account.
您可以自己完成此操作,但是更好的选择是使用API网关,例如GCP上的Cloud Endpoint.您可以在其上插入Firebase身份验证.您的开销很小,安全性得到了改善!我写了和与此相关的文章(与API密钥有关,但请用
You can do it by yourself, but the good alternative is to use an API Gateway, like Cloud Endpoint on GCP. You can plug firebase authentication on it. Your overhead is minimal, and your security improved! I wrote and article in relation with this (it's about API Keys, but replace the API Key security definition by the firebase auth security definition, and enjoy!)
这篇关于带有PKCE的Google Cloud Run OAuth2身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
