Updates to Google ID token service-to-service auth sample (GoogleCloudPlatform#674)

liminw · dpebot · commit e43f21819c74 · 2016-11-21T11:35:23.000-08:00
diff --git a/appengine/flexible/endpoints/README.md b/appengine/flexible/endpoints/README.md
@@ -160,10 +160,8 @@ The client project is running Google App Engine standard application.
 
 To use the client for authentication:
 
-1. Update the `google_id_token`'s audiences, replace `YOUR-SERVER-PROJECT-ID` with your server project ID.
-2. Redeploy your server application.
-3. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
-4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
+1. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
+2. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
 ```bash
 $ gcloud app deploy app.yaml --project=YOUR-CLIENT-PROJECT-ID
 ```
diff --git a/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py b/appengine/flexible/endpoints/clients/service_to_service_google_id_token/main.py
@@ -24,9 +24,9 @@
 from google.appengine.api import app_identity
 import webapp2
 
-DEFAUTL_SERVICE_ACCOUNT = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
+SERVICE_ACCOUNT_EMAIL = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
 HOST = "YOUR-SERVER-PROJECT-ID.appspot.com"
-TARGET_AUD = "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"
+TARGET_AUD = "https://YOUR-SERVER-PROJECT-ID.appspot.com"
 
 
 def generate_jwt():
@@ -42,11 +42,10 @@ def generate_jwt():
         "iat": now,
         # expires after one hour.
         "exp": now + 3600,
-        # iss is the Google App Engine default service account email.
-        "iss": DEFAUTL_SERVICE_ACCOUNT,
-        # scope must match 'audience' for google_id_token in the security
-        # configuration in your swagger spec.
-        "scope": TARGET_AUD,
+        # iss is the service account email.
+        "iss": SERVICE_ACCOUNT_EMAIL,
+        # target_audience is the URL of the target service.
+        "target_audience": TARGET_AUD,
         # aud must be Google token endpoints URL.
         "aud": "https://www.googleapis.com/oauth2/v4/token"
     })
diff --git a/appengine/flexible/endpoints/swagger.yaml b/appengine/flexible/endpoints/swagger.yaml
@@ -76,7 +76,6 @@ paths:
           # Your OAuth2 client's Client ID must be added here. You can add
           # multiple client IDs to accept tokens from multiple clients.
           - "YOUR-CLIENT-ID"
-          - "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"
   "/auth/info/firebase":
     get:
       description: "Returns the requests' authentication information."
