Authentication issues with Cloud Endpoints Portal

0
votes

I have Cloud Endpoints Framework implemented in my App Engine project, and I'd like to migrate from the deprecated API Explorer to the new Endpoints Portal, but I have an authentication issue.

I have one endpoint with authentication enabled with a Google ID token. But when the user clicks on 'Try This API' in the Endpoints Portal, he is not authenticated. This works with the old API Explorer. enter image description here

I use the project described in this tutorial: https://cloud.google.com/endpoints/docs/frameworks/java/get-started-frameworks-java.

It has API Management has described in the documentation and I followed these steps to authenticate users

I've added the class below to the sample code to test an API with authentication: 

package com.example.echo;

import com.google.api.server.spi.auth.common.User;
import com.google.api.server.spi.config.Api;
import com.google.api.server.spi.config.ApiMethod;
import com.google.api.server.spi.response.UnauthorizedException;

@Api(
        name = "authenticatedApi",
        title = "Authenticated API",
        version = "v1",
        description = "Use OAuth 2.0 to authenticate",
        scopes = {"https://www.googleapis.com/auth/userinfo.email"},
        clientIds = {"*"}
)
public class AuthenticatedApi {

    @ApiMethod(name = "sayHello")
    public Message sayHello(User user) throws UnauthorizedException {
        if (user == null) {
            throw new UnauthorizedException("Invalid credentials");
        }

        Message message = new Message();
        message.setMessage("Hello " + user.getEmail());
        return message;
    }
}

There is a documentation about how configuring the portal for authentication but nothing about OAuth 2.0

I generate and deploy the openapi.json file using the maven plugin and gcloud: 

$ mvn endpoints-framework:openApiDocs
$ gcloud endpoints services deploy target/openapi-docs/openapi.json

What am I missing?

2
javagoogle-app-enginegoogle-cloud-endpointsgoogle-apis-explorer
I checked the doc you shared and on step Create OAuth client ID I found a link for OAuth 2.0. Check it it may be useful.alcohealism

2 Answers

0
votes

So I found a way but I couldn't find any documentation about it.

This code sample suggest that the Cloud Endpoints Portal needs ESP. But unlike Cloud Endpoints with OpenApi, Cloud Endpoints Framework does not use ESP, but:

a built-in API gateway that provides API management features that are comparable to the features that ESP provides for Endpoints for OpenAPI

Therefore, the openapi.json file generated by mvn endpoints-framework:openApiDocs is missing some info.

Here is what I changed:

At the class level, in the @Api annotation:

  • added an audience (even though I don't have Android clients and, according to the documentation, audiences are for Android clients only)
  • added a custom authenticator to handle ESP, similar to com.google.api.server.spi.auth.EspAuthenticator

In the openapi.json file, after it's generated with mvn endpoints-framework:openApiDocs

Sources:

API

package com.example.echo;

import com.google.api.server.spi.auth.common.User;
import com.google.api.server.spi.config.Api;
import com.google.api.server.spi.config.ApiMethod;
import com.google.api.server.spi.response.UnauthorizedException;

@Api(
        name = "authenticatedApi",
        title = "Authenticated API",
        version = "v1",
        description = "Use OAuth to authenticate",
        scopes = {"https://www.googleapis.com/auth/userinfo.email"},
        clientIds = {"*"},
        audiences = {"my-web-client-id.apps.googleusercontent.com"},
        authenticators = {CustomAuthenticator.class}
)
public class AuthenticatedApi {

    @ApiMethod(name = "sayHello")
    public Message sayHello(User user) throws UnauthorizedException {
        if (user == null) {
            throw new UnauthorizedException("Invalid credentials");
        }

        Message message = new Message();
        message.setMessage("Hello " + user.getEmail());
        return message;
    }
}

Anthenticator

package com.example.echo;

import com.google.api.auth.UserInfo;
import com.google.api.control.ConfigFilter;
import com.google.api.control.model.MethodRegistry;
import com.google.api.server.spi.auth.EndpointsAuthenticator;
import com.google.api.server.spi.auth.common.User;
import com.google.api.server.spi.response.ServiceUnavailableException;

import javax.servlet.http.HttpServletRequest;

public class CustomAuthenticator extends EndpointsAuthenticator {
    private final com.google.api.auth.Authenticator authenticator;

    public CustomAuthenticator() {
        // ESP needs another authenticator
        this.authenticator = com.google.api.auth.Authenticator.create();
    }

    @Override
    public User authenticate(HttpServletRequest request) throws ServiceUnavailableException {
        User user = super.authenticate(request);

        // Testing the user is enough for the API Explorer, not for the Endpoints Portal
        if (user == null) {
            try {
                MethodRegistry.Info methodInfo = ConfigFilter.getMethodInfo(request);
                MethodRegistry.AuthInfo authInfo = methodInfo.getAuthInfo().get();
                String serviceName = ConfigFilter.getService(request).getName();
                UserInfo userInfo = this.authenticator.authenticate(request, authInfo, serviceName);
                user = new User(userInfo.getId(), userInfo.getEmail());
            } catch (Exception e) {
                return null;
            }
        }
        return user;
    }
}

openapi.json

{
  "swagger": "2.0",
  "info": {
    "version": "1.0.0",
    "title": "My Application"
  },
  "host": "my-application.appspot.com",
  "basePath": "/_ah/api",
  "schemes": [
    "https"
  ],
  "consumes": [
    "application/json"
  ],
  "produces": [
    "application/json"
  ],
  "paths": {
    "/authenticatedApi/v1/sayHello": {
      "post": {
        "operationId": "AuthenticatedApiSayHello",
        "parameters": [],
        "responses": {
          "200": {
            "description": "A successful response",
            "schema": {
              "$ref": "#/definitions/Message"
            }
          }
        },
        "security": [
          {
            "google_id_token_https": ["https://www.googleapis.com/auth/userinfo.email"]
          }
        ],
        "x-security": [
          {
            "google_id_token_https": {
              "audiences": [
                "my-web-client-id.apps.googleusercontent.com"
              ]
            }
          }
        ]
      }
    }
  },
  "securityDefinitions": {
    "google_id_token_https": {
      "type": "oauth2",
      "authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth",
      "flow": "implicit",
      "x-google-issuer": "https://accounts.google.com",
      "x-google-jwks_uri": "https://www.googleapis.com/oauth2/v1/certs"
    }
  },
  "definitions": {
    "Email": {
      "properties": {
        "email": {
          "type": "string"
        }
      }
    },
    "Message": {
      "properties": {
        "message": {
          "type": "string"
        }
      }
    }
  }
}
0
votes

That's a current Feature Request for the Google Cloud Endpoints team:

https://issuetracker.google.com/issues/127623471