Cloud Endpoints Extensible Service Proxy not honouring security definition

Question

We are using the ESP inside the container engine (not as part of appengine). We have deployed the following swagger file:

security:
 - oauth_our_oauth:
   - default_auth
# This section requires all requests to any path to require an API key.
securityDefinitions:
 oauth_our_oauth:
     authorizationUrl: "https://OUR_ACCOUNT.auth0.com/authorize"
     flow: "implicit"
     type: "oauth2"
     x-issuer: "https://OUR_ACCOUNT.auth0.com/"
     # Update this with your service account's email address.
     x-jwks_uri: "https://OUR_ACCOUNT.auth0.com/.well-known/jwks.json"
     scopes:
       default_auth: All endpoints

However when we hit our endpoint without any authentication the request happily passes through. Are we setting up something wrong?

Mingliang Wei Mingliang Wei · Accepted Answer · 2016-09-15T19:53:01

The OAuth definition should be referenced in x-security section.

x-security:
  - oauth_our_oauth:
      audiences:
      # This must match the "aud" field in the JWT. You can add multiple
      # audiences to accept JWTs from multiple clients.
      - "echo.endpoints.sample.google.com"

Example https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/appengine/flexible/endpoints/swagger.yaml

Cloud Endpoints Extensible Service Proxy not honouring security definition

1 Answers