Skip to content

Use "https://server_name" as the TARGET_AUD for Google ID token request. #669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 11 commits into from
Closed

Use "https://server_name" as the TARGET_AUD for Google ID token request. #669

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6ecc915
Auth samples for Endpoints.
liminw Jul 28, 2016
4e8801c
Auth Samples (addressed 2nd pass of comments)
liminw Jul 29, 2016
f6931db
Service to Service auth sample. Updated README.
liminw Aug 2, 2016
653e1a4
Merge remote-tracking branch 'upstream/master'
liminw Nov 17, 2016
4011053
Fix merge inconsistency.
liminw Nov 17, 2016
59e67a1
Fix merge inconsistency.
liminw Nov 17, 2016
402daf6
Fix merge inconsistency.
liminw Nov 17, 2016
2554f6d
Merge remote-tracking branch 'upstream/master'
liminw Nov 17, 2016
bab9efd
Use "https://server_name" as the TARGET_AUD for Google ID token request.
liminw Nov 17, 2016
812987f
Change "scope" to "target_audience".
liminw Nov 18, 2016
5f91d8b
Merge remote-tracking branch 'upstream/master'
liminw Nov 18, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions appengine/flexible/endpoints/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,10 +160,8 @@ The client project is running Google App Engine standard application.

To use the client for authentication:

1. Update the `google_id_token`'s audiences, replace `YOUR-SERVER-PROJECT-ID` with your server project ID.
2. Redeploy your server application.
3. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
1. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
2. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
```bash
$ gcloud app deploy app.yaml --project=YOUR-CLIENT-PROJECT-ID
```
Expand Down
14 changes: 6 additions & 8 deletions appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,9 @@
from google.appengine.api import app_identity
import webapp2

DEFAUTL_SERVICE_ACCOUNT = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
SERVICE_ACCOUNT_EMAIL = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
HOST = "YOUR-SERVER-PROJECT-ID.appspot.com"
TARGET_AUD = "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"

TARGET_AUD = "https://YOUR-SERVER-PROJECT-ID.appspot.com"

def generate_jwt():
"""Generates a signed JSON Web Token using the Google App Engine default
Expand All @@ -42,11 +41,10 @@ def generate_jwt():
"iat": now,
# expires after one hour.
"exp": now + 3600,
# iss is the Google App Engine default service account email.
"iss": DEFAUTL_SERVICE_ACCOUNT,
# scope must match 'audience' for google_id_token in the security
# configuration in your swagger spec.
"scope": TARGET_AUD,
# iss is the service account email.
"iss": SERVICE_ACCOUNT_EMAIL,
# target_audience is the URL of the target service.
"target_audience": TARGET_AUD,
# aud must be Google token endpoints URL.
"aud": "https://www.googleapis.com/oauth2/v4/token"
})
Expand Down
1 change: 0 additions & 1 deletion appengine/flexible/endpoints/swagger.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ paths:
# Your OAuth2 client's Client ID must be added here. You can add
# multiple client IDs to accept tokens from multiple clients.
- "YOUR-CLIENT-ID"
- "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"
"/auth/info/firebase":
get:
description: "Returns the requests' authentication information."
Expand Down