Skip to content

Update auth config and README #805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 15, 2017
Merged

Update auth config and README #805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a62d3f
Use 'security' directive instead of 'x-security'. Also add 'x-google'
liminw Feb 15, 2017
df1021a
Minor fixes.
liminw Feb 15, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions appengine/flexible/endpoints/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ The JWT client demonstrates how to use a service account to authenticate to endp

To use the service account for authentication:

1. Update the `google_jwt`'s `x-jwks_uri` in `openapi.yaml` with your service account's email address.
1. Update the `google_jwt`'s `x-google-jwks_uri` in `openapi.yaml` with your service account's email address.
2. Redeploy your application.

Now you can use the JWT client to make requests to the API:
Expand All @@ -91,7 +91,7 @@ The ID Token client demonstrates how to use user credentials to authenticate to

To use the client ID for authentication:

1. Update the `/auth/info/googleidtoken`'s `audiences` in `openapi.yaml` with your client ID.
1. Update the `google_id_token`'s `x-google-audiences` in `openapi.yaml` with your client ID.
2. Redeploy your application.

Now you can use the client ID to make requests to the API:
Expand All @@ -106,7 +106,7 @@ We refer to the project that serves API requests as the server project. You also

To use the App Engine default service account for authentication:

1. Update the `gae_default_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your client project ID.
1. Update the `gae_default_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your client project ID.
2. Redeploy your server application.
3. Update clients/service_to_service_gae_default/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
Expand Down Expand Up @@ -137,7 +137,7 @@ Google API python client library should have already been installed under 'lib'

To use the client for authentication:

1. Update the `google_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your service account email.
1. Update the `google_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your service account email.
2. Redeploy your server application.
3. Update clients/service_to_service_non_default/main.py by replacing 'YOUR-SERVICE-ACCOUNT-EMAIL', 'YOUR-SERVER-PROJECT-ID' and 'YOUR-CLIENT-PROJECT-ID'
with your service account email, your server project ID, and your client project ID, respectively.
Expand Down
66 changes: 27 additions & 39 deletions appengine/flexible/endpoints/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,10 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- google_jwt:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
- gae_default_service_account:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
- google_service_account:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
security:
- google_jwt: []
- gae_default_service_account: []
- google_service_account: []
"/auth/info/googleidtoken":
get:
description: "Returns the requests' authentication information."
Expand All @@ -70,12 +58,8 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- google_id_token:
audiences:
# Your OAuth2 client's Client ID must be added here. You can add
# multiple client IDs to accept tokens from multiple clients.
- "YOUR-CLIENT-ID"
security:
- google_id_token: []
"/auth/info/firebase":
get:
description: "Returns the requests' authentication information."
Expand All @@ -87,10 +71,8 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- firebase:
audiences:
- "YOUR-PROJECT-ID"
security:
- firebase: []

definitions:
echoMessage:
Expand All @@ -104,14 +86,12 @@ definitions:
email:
type: "string"

# [START securityDef]
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
# [END securityDef]
# This section configures authentication using Google API Service Accounts
# to sign a json web token. This is mostly used for server-to-server
# communication.
Expand All @@ -120,9 +100,11 @@ securityDefinitions:
flow: "implicit"
type: "oauth2"
# This must match the 'iss' field in the JWT.
x-issuer: "jwt-client.endpoints.sample.google.com"
x-google-issuer: "jwt-client.endpoints.sample.google.com"
# Update this with your service account's email address.
x-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
# This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using Google App Engine default
# service account to sign a json web token. This is mostly used for
# server-to-server communication.
Expand All @@ -131,9 +113,10 @@ securityDefinitions:
flow: "implicit"
type: "oauth2"
# Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
x-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
# Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
x-google-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
# Replace YOUR-CLIENT-PROJECT-ID with your client project ID
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using a service account
# to sign a json web token. This is mostly used for server-to-server
# communication.
Expand All @@ -142,22 +125,27 @@ securityDefinitions:
flow: "implicit"
type: "oauth2"
# Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
x-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
x-google-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
# Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
# This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using Google OAuth2 ID Tokens.
# ID Tokens can be obtained using OAuth2 clients, and can be used to access
# your API on behalf of a particular user.
google_id_token:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-issuer: "accounts.google.com"
x-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
x-google-issuer: "accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
# Your OAuth2 client's Client ID must be added here. You can add multiple client IDs to accept tokens form multiple clients.
x-google-audiences: "YOUR-CLIENT-ID"
# This section configures authentication using Firebase Auth.
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
x-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "YOUR-PROJECT-ID"
14 changes: 6 additions & 8 deletions endpoints/getting-started/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ The JWT client demonstrates how to use a service account to authenticate to endp

To use the service account for authentication:

1. Update the `google_jwt`'s `x-jwks_uri` in `openapi.yaml` with your service account's email address.
1. Update the `google_jwt`'s `x-google-jwks_uri` in `openapi.yaml` with your service account's email address.
2. Redeploy your application.

Now you can use the JWT client to make requests to the API:
Expand All @@ -86,7 +86,7 @@ The ID Token client demonstrates how to use user credentials to authenticate to

To use the client ID for authentication:

1. Update the `/auth/info/googleidtoken`'s `audiences` in `openapi.yaml` with your client ID.
1. Update the `google_id_token`'s `x-google-audiences` in `openapi.yaml`with your client ID.
2. Redeploy your application.

Now you can use the client ID to make requests to the API:
Expand All @@ -101,7 +101,7 @@ We refer to the project that serves API requests as the server project. You also

To use the App Engine default service account for authentication:

1. Update the `gae_default_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your client project ID.
1. Update the `gae_default_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your client project ID.
2. Redeploy your server application.
3. Update clients/service_to_service_gae_default/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
Expand Down Expand Up @@ -132,7 +132,7 @@ Google API python client library should have already been installed under 'lib'

To use the client for authentication:

1. Update the `google_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your service account email.
1. Update the `google_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your service account email.
2. Redeploy your server application.
3. Update clients/service_to_service_non_default/main.py by replacing 'YOUR-SERVICE-ACCOUNT-EMAIL', 'YOUR-SERVER-PROJECT-ID' and 'YOUR-CLIENT-PROJECT-ID'
with your service account email, your server project ID, and your client project ID, respectively.
Expand All @@ -155,10 +155,8 @@ The client project is running Google App Engine standard application.

To use the client for authentication:

1. Update the `google_id_token`'s audiences, replace `YOUR-SERVER-PROJECT-ID` with your server project ID.
2. Redeploy your server application.
3. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
1. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
2. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
```bash
$ gcloud app deploy app.yaml --project=YOUR-CLIENT-PROJECT-ID
```
Expand Down
50 changes: 19 additions & 31 deletions endpoints/getting-started/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,10 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- google_jwt:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
- gae_default_service_account:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
- google_service_account:
audiences:
# This must match the "aud" field in the JWT. You can add multiple
# audiences to accept JWTs from multiple clients.
- "echo.endpoints.sample.google.com"
security:
- google_jwt: []
- gae_default_service_account: []
- google_service_account: []
"/auth/info/googleidtoken":
get:
description: "Returns the requests' authentication information."
Expand All @@ -72,13 +60,8 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- google_id_token:
audiences:
# Your OAuth2 client's Client ID must be added here. You can add
# multiple client IDs to accept tokens from multiple clients.
- "YOUR-CLIENT-ID"
- "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"
security:
- google_id_token: []
"/auth/info/firebase":
get:
description: "Returns the requests' authentication information."
Expand All @@ -90,10 +73,8 @@ paths:
description: "Authentication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- firebase:
audiences:
- "YOUR-PROJECT-ID"
security:
- firebase: []

definitions:
echoMessage:
Expand All @@ -107,14 +88,12 @@ definitions:
email:
type: "string"

# [START securityDef]
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
# [END securityDef]
# This section configures authentication using Google API Service Accounts
# to sign a json web token. This is mostly used for server-to-server
# communication.
Expand All @@ -126,6 +105,8 @@ securityDefinitions:
x-google-issuer: "jwt-client.endpoints.sample.google.com"
# Update this with your service account's email address.
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
# This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using Google App Engine default
# service account to sign a json web token. This is mostly used for
# server-to-server communication.
Expand All @@ -137,6 +118,8 @@ securityDefinitions:
x-google-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
# Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
# This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using a service account
# to sign a json web token. This is mostly used for server-to-server
# communication.
Expand All @@ -145,9 +128,11 @@ securityDefinitions:
flow: "implicit"
type: "oauth2"
# Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
x-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
x-google-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
# Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
# This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
x-google-audiences: "echo.endpoints.sample.google.com"
# This section configures authentication using Google OAuth2 ID Tokens.
# ID Tokens can be obtained using OAuth2 clients, and can be used to access
# your API on behalf of a particular user.
Expand All @@ -157,10 +142,13 @@ securityDefinitions:
type: "oauth2"
x-google-issuer: "accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
# Your OAuth2 client's Client ID must be added here. You can add multiple client IDs to accept tokens form multiple clients.
x-google-audiences: "YOUR-CLIENT-ID"
# This section configures authentication using Firebase Auth.
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "YOUR-PROJECT-ID"