that's really great to know to use ServiceAccountJwtAccessCredentials. but may I ask what's the major diffs between ServiceAccountJwtAccessCredentials and ServiceAccountCredentials. and in which case we should use ServiceAccountCredentials?
Thanks, Jun On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected] wrote: > > https://github.com/google/google-auth-library-java > <https://github.com/google/google-auth-library-java> > provides a ServiceAccountJwtAccessCredentials you can use. > > > https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204 > > The jwt authorization header is set with this method : > > https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252 > > > On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote: >> >> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC working >> with an OAuth2.0 authentication provider using GoogleCredentials >> >> >> I followed the steps in this tutorial and could make an authenticated >> request by generating the jwt token and setting the audience and issuer etc >> >> >> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call >> >> >> But we need to use GoogleCredentials for authentication and I have tried >> making the client request in several ways but it did not work out >> >> Below is the relevant piece of my Client code along with my >> api_config_auth.yaml file >> >> >> *CLIENT:* >> >> >> public class ReporterClient { >> >> public static void main(String[] args) throws Exception { >> >> // Create gRPC stub. >> >> ReporterGrpc.ReporterBlockingStub reporterBlockingStub = >> createReporterStub(host, port); >> >> getParams(reporterBlockingStub, domain, type, objectName, data); >> >> } >> >> // Send Request to Server >> >> public static void getParams(ReporterGrpc.ReporterBlockingStub >> reporterBlockingStub,String domain, String type, String objectName, >> String data) { >> >> GenerateReportRequest request = GenerateReportRequest.newBuilder(). >> setDomain(domain).setType(type).setObjectName(objectName).setData(data). >> build(); >> >> GenerateReportResponse response = reporterBlockingStub.generateReport >> (request); >> >> } >> >> // Version 1: Without scopes >> >> public static ReporterGrpc.ReporterBlockingStub createReporterStub( >> String host, int port) throws Exception { >> >> Channel channel = ManagedChannelBuilder.forAddress(host, port). >> usePlaintext(true).build(); >> >> GoogleCredentials googleCredentials = Environment.get(). >> computeEngineDefaultCredentials(); >> >> return ReporterGrpc.newBlockingStub(channel) >> >> .withCallCredentials(MoreCallCredentials >> >> .from(googleCredentials)); >> >> } >> >> // Version 2: With scopes >> >> public static ReporterGrpc.ReporterBlockingStub createReporterStubTry( >> String host, int port) throws Exception { >> >> Channel channel = ManagedChannelBuilder.forAddress(host, port). >> usePlaintext(true).build(); >> >> List<String> scopes = new ArrayList<>(); >> >> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”); >> >> GoogleCredentials googleCredentials = >> Environment.get().computeEngineDefaultCredentials().createScoped(scopes); >> >> return ReporterGrpc.newBlockingStub(channel) >> >> .withCallCredentials(MoreCallCredentials >> >> .from(googleCredentials)); >> } >> >> } >> >> >> >> *YAML File : API_CONFIG_AUTH.yaml:* >> >> >> # Reporter gRPC API configuration. >> >> type: google.api.Service >> >> config_version: 3 >> >> # Name of the service configuration. >> >> name: MY_SERVICE_CONFIGURATION_NAME >> >> # API title to appear in the user interface (Google Cloud Console). >> >> title: Reporter gRPC API >> >> apis: >> >> - name: reporter.Reporter >> >> # API usage restrictions. >> >> usage: >> >> rules: >> >> # GenerateReport method can be called without an API Key. >> >> - selector: reporter.Reporter.GenerateReport >> >> allow_unregistered_calls: true >> >> # Request authentication. >> >> authentication: >> >> providers: >> >> - id: google_service_account >> >> # Replace SERVICE-ACCOUNT-ID with your service account's email >> address. >> >> issuer: MY_SERVICE_ACCOUNT_ID >> >> jwks_uri: https:// >> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID >> >> rules: >> >> # This auth rule will apply to all methods. >> >> - selector: "*" >> >> requirements: >> - provider_id: google_service_account >> >> >> >> *// Error for Version 1: Without scopes* >> >> >> Exception in thread "main" io.grpc.StatusRuntimeException: >> PERMISSION_DENIED: JWT validation failed: Audience not allowed >> >> at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >> >> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >> >> >> *// Error for Version 2: With scopes* >> >> >> Exception in thread "main" io.grpc.StatusRuntimeException: UNAUTHENTICATED >> >> at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >> >> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >> >> at >> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >> >> Caused by: java.io.IOException: Error parsing token refresh response. >> Expected value access_token not found. >> >> at com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116) >> >> at >> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371) >> >> at >> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149) >> >> at >> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135) >> >> at >> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95) >> >> at >> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120) >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/9a9ee7cd-87cf-4692-92d1-1cd187b0ca2e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
