我正在尝试使用Ambassador Edge Stack(数据线/边缘堆栈版本3.3.0)过滤器验证Firebase生成的JWT令牌。
Firebase令牌是使用Firebase上的登录/密码验证机制生成的,类似于(Python中的):
email=input("Enter email: ")
password=input("Enter password: ")
user = authentication.sign_in_with_email_and_password(email, password)
custom_token = auth.create_custom_token(user["localId"], additional_claims)
print("JWT Token :")
print(custom_token)
生成令牌后,我将其与curl命令一起使用,如下所示:
curl -H "Authorization: Bearer $TOKEN" https://ambassador-ip.nip.io/hello-world/
curl命令返回以下错误:
},
"message": "Token validation error: token is invalid: errorFlags=0x00000002=(ValidationErrorUnverifiable) wrappedError=(KeyID=\"50***redacted***1\": JWK not found)",
"status_code": 401
}
下面是我声明的大使过滤器:
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: "firebase-filter"
namespace: ${kubernetes_namespace.hello_world.metadata[0].name}
spec:
JWT:
jwksURI: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
audience: "${local.project_id}"
issuer: "https://securetoken.google.com/${local.project_id}"
以及应用于我的后端的策略筛选器:
apiVersion: getambassador.io/v3alpha1
kind: FilterPolicy
metadata:
name: "firebase-filter-policy"
namespace: ${kubernetes_namespace.hello_world.metadata[0].name}
spec:
rules:
- host: "*"
path: "/hello-world/"
filters:
- name: "firebase-filter"
namespace: "${kubernetes_namespace.hello_world.metadata[0].name}"
为了记录在案,带有相同令牌的curl命令可以在已部署的hello-world Cloud Run上工作,其中GCPAPI网关配置如下:
swagger: '2.0'
info:
title: Example Firebase auth Gateway
description: API Gateway with firebase auth
version: 1.0.0
schemes:
- https
produces:
- application/json
securityDefinitions:
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-issuer: "https://securetoken.google.com/${project_id}"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
x-google-audiences: "${project_id}"
paths:
/v1/hello:
get:
security:
- firebase: []
description: Hello
operationId: hello
responses:
'200':
description: Success
x-google-backend:
address: 'https://hello-redacted-ew.a.run.app'
知道为什么大使过滤器配置错误吗?
2条答案
按热度按时间z31licg01#
JWT过滤器要求您提供
.well-known/openid-configuration
的url,以便它可以验证令牌的签名。我不熟悉Firebase,但在他们的文档中,您似乎可以在此处找到它:https://firebase.google.com/docs/auth/web/openid-connect例如,您的过滤器应该配置如下(* 我猜是在jwksURI上 *):
nqwrtyyt2#
Ambassador JWT Filter需要jwksURI来指向Firebase安全令牌服务帐户公钥,而不是X509证书,因此Filter应该是:
这仅适用于Firebase令牌。例如,如果您希望使用某个专用服务帐户使其适用于自定义令牌,则可能需要jwksURI来指向您的服务帐户公钥,如下所示: