个人中心
gpt4 book ai didi

firebase - 使用Cloud Endpoints和Firebase调用ESP时出现“409 Audience not allowed”错误

转载 作者:行者123 更新时间:2023-12-02 11:47:16 24 4
gpt4 key购买 nike

我一直在研究gRPC服务,该服务要求能够从经过Firebase身份验证的浏览器接收 call 。我一直在处理所有问题,直到出现409错误,但似乎找不到更多信息。

我将尝试提供尽可能多的信息。

代码

这是我的K8S list 

apiVersion: v1
kind: Service
metadata:
  name: esp-grpc-environment
spec:
  ports:
  # Port that accepts gRPC and JSON/HTTP2 requests over HTTP.
  - port: 80
    targetPort: 9090
    protocol: TCP
    name: http2
  selector:
    app: esp-grpc-environment
  type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: esp-grpc-environment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: esp-grpc-environment
    spec:
      containers:
      - name: esp
        image: gcr.io/endpoints-release/endpoints-runtime:1
        args: [
          "--http_port=9090",
          "--service=environment.endpoints.<project_id>.cloud.goog",
          "--rollout_strategy=managed",
          "--backend=grpc://127.0.0.1:8000",
          "--cors_preset=basic",
          "--cors_allow_headers=Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization",
          "--cors_expose_headers=grpc-status,grpc-message,authorization",
          "--enable_debug"
        ]
        ports:
          - containerPort: 9090
      - name: environment
        image: terrariumai/environment:0.0.1
        imagePullPolicy: Always
        ports:
          - containerPort: 8000

和我的端点配置 
type: google.api.Service
config_version: 3

name: environment.endpoints.<project_id>.cloud.goog
title: Environment gRPC API

apis:
  - name: endpoints.terrariumai.environment.Environment

authentication:
  providers:
    - id: firebase
      jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
      issuer: https://securetoken.google.com/<project_id>
  rules:
    - selector: "*"
      requirements:
        - provider_id: firebase

usage:
  rules:
    - selector: endpoints.terrariumai.environment.Environment.CreateEntity
      allow_unregistered_calls: true

这是我的服务配置的链接

Service Config

这就是我调用API的方式 
import {
CreateEntityRequest
} from "../api/environment_pb";

this.props.firebase
      .auth()
      .currentUser.getIdToken(/* forceRefresh */ true)
      .then(function(idToken) {
        var service = new EnvironmentClient(addr, null, null);
        var request = new CreateEntityRequest();
        var metadata = {
          authorization: `Bearer ${idToken}`
        };
        console.log(idToken);
        service.createEntity(request, metadata, (err, resp) => {
          if (err) {
            console.log("Got error: ", err);
          }
          console.log("Resp: ", resp);
        });
      })

错误

所以在这一点上,我在浏览器中收到此错误 
POST http://<external-ip>/endpoints.terrariumai.environment.Environment/CreateEntity 403 (Forbidden)

这是来自/var/log/nginx/error.log的相关内容(但不是全部,我认为这应该足够了) 
2019/07/11 00:06:44 [debug] 9#9: *8 HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 11 Jul 2019 00:06:44 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Bearer, error="invalid_token"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization
Access-Control-Expose-Headers: grpc-status,grpc-message,authorization

2019/07/11 00:06:44 [debug] 9#9: *8 write new buf t:1 f:0 000056541D4E9778, pos 000056541D4E9778, size: 618 file: 0, size: 0
2019/07/11 00:06:44 [debug] 9#9: *8 http write filter: l:0 f:0 s:618
2019/07/11 00:06:44 [debug] 9#9: *8 http output filter "/endpoints.terrariumai.environment.Environment/CreateEntity?"
2019/07/11 00:06:44 [debug] 9#9: *8 ESP error message: JWT validation failed: Audience not allowed
2019/07/11 00:06:44 [debug] 9#9: *8 send error response: {
 "code": 7,
 "message": "JWT validation failed: Audience not allowed",
 "details": [
  {
   "@type": "type.googleapis.com/google.rpc.DebugInfo",
   "stackEntries": [],
   "detail": "auth"
  }
 ]
}

我真的不确定如何进一步调试它。我尝试查找此文件,但我只能找到的唯一文档说Firebase可能在标题中设置了不正确的“aud”值?任何见识将不胜感激!

最佳答案

发生“不允许受众”错误,因为您的服务配置未在Firebase生成的 token 中明确列出“aud”声明的接受值。

Cloud Endpoints文档说明了如何在Open API文档中配置受众检查Firebase token :https://cloud.google.com/endpoints/docs/openapi/authenticating-users-firebase

在服务配置消息中,相关字段为authentication.providers.audiences。

authentication:
  providers:
    - id: firebase
      jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
      issuer: https://securetoken.google.com/<project_id>
      audiences:
        - <project_id>

关于firebase - 使用Cloud Endpoints和Firebase调用ESP时出现“409 Audience not allowed”错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56981740/

24 4 0
文章推荐: docker - 如何在 Rancher 中修复 "Cluster must have at least one etcd plane host: failed to connect to the following etcd host(s) [10.xxx.xxx.36]"?
文章推荐: android - 用于代码生成的 ANTLR Tool 版本 4.7.1 与当前运行时版本 4.5.3 不匹配
文章推荐: kubernetes - 外部 DNS EKS AWS
文章推荐: apache-spark - Spark - Master : got disassociated, 删除它
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com