diff --git a/appengine/flexible/endpoints/README.md b/appengine/flexible/endpoints/README.md index 5276fe0d5e4..4b4e03c827c 100644 --- a/appengine/flexible/endpoints/README.md +++ b/appengine/flexible/endpoints/README.md @@ -160,10 +160,8 @@ The client project is running Google App Engine standard application. To use the client for authentication: -1. Update the `google_id_token`'s audiences, replace `YOUR-SERVER-PROJECT-ID` with your server project ID. -2. Redeploy your server application. -3. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID. -4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick. +1. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID. +2. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick. ```bash $ gcloud app deploy app.yaml --project=YOUR-CLIENT-PROJECT-ID ``` diff --git a/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py b/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py index fb22c5ebf4a..1837f1def06 100644 --- a/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py +++ b/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py @@ -24,10 +24,9 @@ from google.appengine.api import app_identity import webapp2 -DEFAUTL_SERVICE_ACCOUNT = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com" +SERVICE_ACCOUNT_EMAIL = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com" HOST = "YOUR-SERVER-PROJECT-ID.appspot.com" -TARGET_AUD = "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com" - +TARGET_AUD = "https://YOUR-SERVER-PROJECT-ID.appspot.com" def generate_jwt(): """Generates a signed JSON Web Token using the Google App Engine default @@ -42,11 +41,10 @@ def generate_jwt(): "iat": now, # expires after one hour. "exp": now + 3600, - # iss is the Google App Engine default service account email. - "iss": DEFAUTL_SERVICE_ACCOUNT, - # scope must match 'audience' for google_id_token in the security - # configuration in your swagger spec. - "scope": TARGET_AUD, + # iss is the service account email. + "iss": SERVICE_ACCOUNT_EMAIL, + # target_audience is the URL of the target service. + "target_audience": TARGET_AUD, # aud must be Google token endpoints URL. "aud": "https://www.googleapis.com/oauth2/v4/token" }) diff --git a/appengine/flexible/endpoints/swagger.yaml b/appengine/flexible/endpoints/swagger.yaml index b2f6c8d5245..e65030a4e5f 100644 --- a/appengine/flexible/endpoints/swagger.yaml +++ b/appengine/flexible/endpoints/swagger.yaml @@ -76,7 +76,6 @@ paths: # Your OAuth2 client's Client ID must be added here. You can add # multiple client IDs to accept tokens from multiple clients. - "YOUR-CLIENT-ID" - - "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com" "/auth/info/firebase": get: description: "Returns the requests' authentication information."