“No auth token is attached to the request” with Google Coud Endpoints + Firebase authentication

0
votes

I am developing the backend for a mobile app using Google App Engine Standard Environment (Python) and Cloud Endpoints with Firebase for authentication. This backend needs to connect to a frontend created with Unity.

I am having trouble with Cloud Endpoints reading the authentication token being sent from the Unity frontend after logging in to Firebase. The App Engine logs state "No auth token is attached to the request" with each attempt at sending an authenticated request.

Here is the Cloud Endpoints declaration that includes Firebase as an issuer in my main Python file:

@endpoints.api(name='connected', 
    version='v4.4.0', 
    allowed_client_ids=["32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com "],
    issuers={'firebase': endpoints.Issuer('https://securetoken.google.com/fleet-fortress-211105',
    'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]')})

Here is the end of the swagger.yaml file that has the security definitions:

securityDefinitions:
    firebase:
        authorizationUrl: ''
        flow: implicit
        type: oauth2
        x-google-issuer: 'https://securetoken.google.com/fleet-fortress-211105'
        x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]'
        x-google-audiences: "32366828803-g14dan8j9m1dhises6namb5vpebopgpd.apps.googleusercontent.com"

security:
    - firebase: []

I am sending the auth token that was received from Firebase to my Cloud Endpoints API in the Authorization header (e.g. Authorization:Bearer {token}).

Headers being sent: request headers

Decoded JWT being sent in authorization header as Bearer:

{
"iss": "https://securetoken.google.com/fleet-fortress-211105",
"aud": "fleet-fortress-211105",
"auth_time": 1533831541,
"user_id": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"sub": "8VdGVw9cF8V9QtfIZpgnD4DHKsY2",
"iat": 1533831566,
"exp": 1533835166,
"email": "[email protected]",
"email_verified": false,
"firebase": {
  "identities": {
    "email": [
      "[email protected]"
    ]
  },
  "sign_in_provider": "password"
}
}

Any help in getting my GAE Cloud Endpoints backend to read the authorization header for a JWT is greatly appreciated.

1
firebaseunity3dgoogle-cloud-platformjwtgoogle-cloud-endpoints
Just as a sanity check, if you capture the full request (e.g. changing the request endpoint to a service printing the whole request, inc. full headers), is the header properly attached? is the token attached a valid JWT?Jofre
Yes, the authorization header is indeed being sent (seemingly correctly) and the JWT is indeed valid. I have updated the post to show the headers sent and the JWT.igotquestions1
Is there an indenting typo in the swagger.yaml file you pasted here? It looks like all the fields are at the same level, but they should be nested (indented) under "firebase".John
I just checked the actual file and there was a indenting typo when pasting to make this question like you said. The actual file has the "firebase" fields indented. The question has been fixed, my apologies.igotquestions1
The error you are receiving "looks like" it means that there is no header sent at all. If we look at the common JWT error list, the "No auth token is attached to the request" is not among them. The best way to troubleshoot this is identify where exactly the error is caused (i.e. the header is removed). If you manually call your API generating the JWT by yourself, does the API reply properly? If so, the issue is before reaching GCP. Otherwise, the issue is within GCP.Jofre

1 Answers

0
votes

I don't know why that error is getting logged; the authorization header properly contains a Bearer token, which is what's required.

However, that error message shouldn't actually stop authentication from working. (The authentication system in the Python Frameworks is kind of a mess and there are two parallel mostly-working implementations.)

Instead, you need to call endpoints.get_current_user() in each method that you want to be protected.