If you require setting the JWT as an authorization Bearer token in your request for a given audience, ServiceAccountJwtAccessCredentials is useful.
The JWT that is created from ServiceAccountCredentials https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L494 : is targeted to creating a JWT that can be provided to retrieve a Google ID Token(https://developers.google.com/identity/protocols/OpenIDConnect). On Thursday, August 24, 2017 at 1:17:55 PM UTC-7, [email protected] wrote: > > > that's really great to know to use ServiceAccountJwtAccessCredentials. but > may I ask what's the major diffs between ServiceAccountJwtAccessCredentials > and ServiceAccountCredentials. and in which case we should > use ServiceAccountCredentials? > > Thanks, > Jun > > On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected] wrote: >> >> https://github.com/google/google-auth-library-java >> <https://github.com/google/google-auth-library-java> >> provides a ServiceAccountJwtAccessCredentials you can use. >> >> >> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204 >> >> The jwt authorization header is set with this method : >> >> https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252 >> >> >> On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote: >>> >>> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC >>> working with an OAuth2.0 authentication provider using GoogleCredentials >>> >>> >>> I followed the steps in this tutorial and could make an authenticated >>> request by generating the jwt token and setting the audience and issuer etc >>> >>> >>> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call >>> >>> >>> But we need to use GoogleCredentials for authentication and I have tried >>> making the client request in several ways but it did not work out >>> >>> Below is the relevant piece of my Client code along with my >>> api_config_auth.yaml file >>> >>> >>> *CLIENT:* >>> >>> >>> public class ReporterClient { >>> >>> public static void main(String[] args) throws Exception { >>> >>> // Create gRPC stub. >>> >>> ReporterGrpc.ReporterBlockingStub reporterBlockingStub = >>> createReporterStub(host, port); >>> >>> getParams(reporterBlockingStub, domain, type, objectName, data); >>> >>> } >>> >>> // Send Request to Server >>> >>> public static void getParams(ReporterGrpc.ReporterBlockingStub >>> reporterBlockingStub,String domain, String type, String objectName, >>> String data) { >>> >>> GenerateReportRequest request = GenerateReportRequest.newBuilder(). >>> setDomain(domain).setType(type).setObjectName(objectName).setData(data). >>> build(); >>> >>> GenerateReportResponse response = reporterBlockingStub. >>> generateReport(request); >>> >>> } >>> >>> // Version 1: Without scopes >>> >>> public static ReporterGrpc.ReporterBlockingStub createReporterStub( >>> String host, int port) throws Exception { >>> >>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>> usePlaintext(true).build(); >>> >>> GoogleCredentials googleCredentials = Environment.get(). >>> computeEngineDefaultCredentials(); >>> >>> return ReporterGrpc.newBlockingStub(channel) >>> >>> .withCallCredentials(MoreCallCredentials >>> >>> .from(googleCredentials)); >>> >>> } >>> >>> // Version 2: With scopes >>> >>> public static ReporterGrpc.ReporterBlockingStub createReporterStubTry( >>> String host, int port) throws Exception { >>> >>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>> usePlaintext(true).build(); >>> >>> List<String> scopes = new ArrayList<>(); >>> >>> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”); >>> >>> GoogleCredentials googleCredentials = >>> Environment.get().computeEngineDefaultCredentials().createScoped(scopes); >>> >>> return ReporterGrpc.newBlockingStub(channel) >>> >>> .withCallCredentials(MoreCallCredentials >>> >>> .from(googleCredentials)); >>> } >>> >>> } >>> >>> >>> >>> *YAML File : API_CONFIG_AUTH.yaml:* >>> >>> >>> # Reporter gRPC API configuration. >>> >>> type: google.api.Service >>> >>> config_version: 3 >>> >>> # Name of the service configuration. >>> >>> name: MY_SERVICE_CONFIGURATION_NAME >>> >>> # API title to appear in the user interface (Google Cloud Console). >>> >>> title: Reporter gRPC API >>> >>> apis: >>> >>> - name: reporter.Reporter >>> >>> # API usage restrictions. >>> >>> usage: >>> >>> rules: >>> >>> # GenerateReport method can be called without an API Key. >>> >>> - selector: reporter.Reporter.GenerateReport >>> >>> allow_unregistered_calls: true >>> >>> # Request authentication. >>> >>> authentication: >>> >>> providers: >>> >>> - id: google_service_account >>> >>> # Replace SERVICE-ACCOUNT-ID with your service account's email >>> address. >>> >>> issuer: MY_SERVICE_ACCOUNT_ID >>> >>> jwks_uri: https:// >>> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID >>> >>> rules: >>> >>> # This auth rule will apply to all methods. >>> >>> - selector: "*" >>> >>> requirements: >>> - provider_id: google_service_account >>> >>> >>> >>> *// Error for Version 1: Without scopes* >>> >>> >>> Exception in thread "main" io.grpc.StatusRuntimeException: >>> PERMISSION_DENIED: JWT validation failed: Audience not allowed >>> >>> at >>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>> >>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>> >>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>> >>> >>> *// Error for Version 2: With scopes* >>> >>> >>> Exception in thread "main" io.grpc.StatusRuntimeException: >>> UNAUTHENTICATED >>> >>> at >>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>> >>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>> >>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>> >>> at >>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>> >>> Caused by: java.io.IOException: Error parsing token refresh response. >>> Expected value access_token not found. >>> >>> at >>> com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116) >>> >>> at >>> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371) >>> >>> at >>> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149) >>> >>> at >>> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135) >>> >>> at >>> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95) >>> >>> at >>> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575) >>> >>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120) >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ade16b15-064e-479f-b29a-7a190cf0cac4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
