Best IT Recipes

Google and JWT Endpoints

I have an API based on Google Cloud Endpoints and I want to use JWT (Json Web Tokens) for authorization. I can configure an authorization header for each request that contains a token, and it works correctly. I know that Endpoints uses this header for Oauth2, and here is my question. Is it right to use the authorization header for the user token? GAE Magazines:

D 12:38:44.375 Checking for id_token. D 12:38:44.376 id_token verification failed: Unexpected encryption algorithm: u'HS256' D 12:38:44.376 Checking for oauth token. D 12:38:44.384 Oauth framework user didn't match oauth token user.

GAE seems to be trying to read this token as an oauth token, and that is not good, is it? Maybe I should send my token to the URL? Something like app-id.appspot.com/_ah/api/my_app/v1/users/get?jwt=TOKEN. Maybe I should not use JWT with Google Cloud Endpoints?

+2
google-app-engine google-cloud-endpoints
Aug 04 '15 at 18:18
source share
1 answer

These messages are related to the fact that the endpoint library is trying to automatically identify the user from the Authorization header so that it can provide endpoints.get_current_user ( source ). It can do this automatically when the Authorization header contains a carrier token, which is a valid Google OAuth2 access token or Android ID token.

Simply put, this is not a mistake; it simply cannot automatically process your authorization header. There is no big deal since you are setting off on your own through JWT.

For JWT, you can still use the Authorization header and independently verify the JWT using PyJWT (for installing third-party packages, see here ).

Here is the full sample:

 import logging import endpoints from protorpc import messages from protorpc import message_types from protorpc import remote import jwt class TestMessage(messages.Message): message = messages.StringField(1) @endpoints.api(name='example', version='v1') class ExampleApi(remote.Service): @endpoints.method(message_types.VoidMessage, TestMessage, http_method='GET') def auth(self, unused_request): # Get the HTTP Authorization header. auth_header = self.request_state.headers.get('authorization') if not auth_header: raise endpoints.UnauthorizedException("No authorization header.") # Get the encoded jwt token. auth_token = auth_header.split(' ').pop() # Decode and verify the token try: payload = jwt.decode(auth_token, 'secret') # Do your own check here. logging.info(payload) except jwt.InvalidTokenError: raise endpoints.UnauthorizedException("Token validation failed.") return TestMessage(message='OK') app = endpoints.api_server([ExampleApi])

You can check this with the self-generated jwt token:

 $ python -c "import jwt; print jwt.encode({'some': 'data'}, 'secret')" eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoiZGF0YSJ9.g1aG08iQyPPwCTJHCxRrkKoYmLiHbBNdarcBQkCPMG4

Then use httpie to make the request:

 $ http GET :8080/_ah/api/example/v1/auth Authorization:'Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoiZGF0YSJ9.g1aG08iQyPPwCTJHCxRrkKoYmLiHbBNdarcBQkCPMG4'

If you do not like to look at endpoint logs about the impossibility of checking the token every time, you can use your own header, for example X-Auth .

+5
Aug 6 '15 at 20:02
source share


More articles:


All Articles