Mixed Content error when requesting ID token through Google Auth Library in App Engine

0
votes

I am trying to authenticate my app running in App Engine to call a Cloud Run service. To get so I request an OAuth 2 token through the Google Auth library (getIdTokenClient method) as looks to be the recommended approach here https://github.com/googleapis/google-auth-library-nodejs#working-with-id-tokens.

The following error is raised from my app when OAuth 2 is trying to access the Google metadata:

gaxios.ts:91 Mixed Content: The page at 'https://myapp-dev.nw.r.appspot.com/' was loaded over HTTPS, but requested an insecure resource 'http://169.254.169.254/computeMetadata/v1/instance'. This request has been blocked; the content must be served over HTTPS.

Following my piece of code:

const {GoogleAuth} = require('google-auth-library');
const url = 'https://myapp-dev-fvnpywgyfa-nw.a.run.app';
const auth = new GoogleAuth();
const serviceRequestOptions = {
  method: 'GET',
  headers: {
    'Content-Type': 'text/plain',
  },
  timeout: 3000,
};
try {
  // Create a Google Auth client with the Renderer service url as the target audience.
  if (!client) client = await auth.getIdTokenClient(url);
  // Fetch the client request headers and add them to the service request headers.
  // The client request headers include an ID token that authenticates the request.
  const clientHeaders = await client.getRequestHeaders();
  serviceRequestOptions.headers['Authorization'] =
    clientHeaders['Authorization'];
} catch (err) {
  throw Error('could not create an identity token: ', err);
}
1
google-app-engineoauth-2.0google-cloud-runmixed-content
Why you don't use the created client?guillaume blaquiere
It seems per the stack trace that the resource you are calling from the IP 169.254.169.254 it's using HTTP and not HTTPS as required. Could you please give it a try changing it, so it uses HTTPS?gso_gabriel
The client is used futher down in my code (not shared above). Point here is that client does not get generated, because method "getIdTokenClient(url)" fails.oscarmon7
The call to IP 169.254.169.254 is encapsulated in that same method, my code is not managing that.oscarmon7

1 Answers

1
votes

gaxios.ts:91 Mixed Content: The page at https://myapp-dev.nw.r.appspot.com/ was loaded over HTTPS, but requested an insecure resource http://169.254.169.254/computeMetadata/v1/instance. This request has been blocked; the content must be served over HTTPS

  1. Subnet 169.254.0.0/16 is an IANA special use net (rfc3330) for "Link-Local" block (rfc3927). This subnet are not routed to the public internet, therefore is accessible in local segment only.

  2. URL http://169.254.169.254/computeMetadata/v1/instance is used as an internal link-local address in Cloud Services such as AWS, Yandex Cloud, Google Cloud Platform (GCP also uses http://metadata.google.internal/computeMetadata/v1/instance URL) to get information about a VM instance.
    IP address 169.254.169.254 is accessible only via http: because it works in private internal network, where SSL-certs cannot be verified (see para 1 - no route to Public Inet).

Therefore if your app tries to access http://169.254.169.254/computeMetadata/v1/instance - you definitely did something wrong. This address cannot be accessed by easy way

May be Using OAuth 2.0 to Access Google APIs link can help you.