Thanks a lot for your comments!
*Update on the issue:*
We have modified our Client to use ServiceAccountJwtAccessCredentials
public static ReporterGrpc.ReporterBlockingStub createReporterStub(String
host, int port) throws Exception {
Channel channel = ManagedChannelBuilder.forAddress(host, port).
usePlaintext(true).build();
ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials =
Environment.get().computeEngineDefaultCredentials();
return ReporterGrpc.newBlockingStub(channel).withCallCredentials(
new GoogleAuthLibraryCallCredentials(
serviceAccountJwtAccessCredentials));
}
It works but with a change in the class
GoogleAuthLibraryCallCredentials.java ,
https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java
Currently the audience that is set by ServiceAccountJwtAccessCredentials
is being overwritten by the above line:
ReporterGrpc.*newBlockingStub*(channel).withCallCredentials(new
GoogleAuthLibraryCallCredentials(serviceAccountJwtAccessCredentials))
So instead of the audience (SERVICE_CONFIGURATION_NAME) that we set, we are
obtaining a string like : https://35.195.24.28:80/reporter.Reporter
Which is being constructed by
https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L123
After we changed the uri passed to null at :
https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L98
, we were able to point to the right audience:
Map<String, List<String>> metadata = creds.getRequestMetadata(uri) -> Map<
String, List<String>> metadata = creds.getRequestMetadata(null)
Now the ServiceAccountJwtAccessCredentials
<https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252>
picks
up the right audience from this line:
https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L25
<https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252>
3
if (uri == null) {
if (defaultAudience != null) {
uri = defaultAudience;
} else {
……
}
}
Is this working as intended or did we miss something? We did expect the
GoogleAuthLibraryCallCredentials.java to overwrite the audience we set.
We were wondering whether ServiceAccountJwtAccessCredentials class is
compatible with CallCredentials class or if there is another wrapper
available to pass the ServiceAccountJwtAccessCredentials.
On Thursday, August 24, 2017 at 10:27:31 PM UTC+2, [email protected] wrote:
>
>
> If you require setting the JWT as an authorization Bearer token in your
> request for a given audience, ServiceAccountJwtAccessCredentials is useful.
>
> The JWT that is created from ServiceAccountCredentials
>
> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L494
>
> : is targeted to creating a JWT that can be provided to retrieve a Google
> ID Token(https://developers.google.com/identity/protocols/OpenIDConnect).
>
> On Thursday, August 24, 2017 at 1:17:55 PM UTC-7, [email protected]
> wrote:
>>
>>
>> that's really great to know to use ServiceAccountJwtAccessCredentials.
>> but may I ask what's the major diffs
>> between ServiceAccountJwtAccessCredentials and ServiceAccountCredentials.
>> and in which case we should use ServiceAccountCredentials?
>>
>> Thanks,
>> Jun
>>
>> On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected]
>> wrote:
>>>
>>> https://github.com/google/google-auth-library-java
>>> <https://github.com/google/google-auth-library-java>
>>> provides a ServiceAccountJwtAccessCredentials you can use.
>>>
>>>
>>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204
>>>
>>> The jwt authorization header is set with this method :
>>>
>>> https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252
>>>
>>>
>>> On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote:
>>>>
>>>> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC
>>>> working with an OAuth2.0 authentication provider using GoogleCredentials
>>>>
>>>>
>>>> I followed the steps in this tutorial and could make an authenticated
>>>> request by generating the jwt token and setting the audience and issuer etc
>>>>
>>>>
>>>> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call
>>>>
>>>>
>>>> But we need to use GoogleCredentials for authentication and I have
>>>> tried making the client request in several ways but it did not work out
>>>>
>>>> Below is the relevant piece of my Client code along with my
>>>> api_config_auth.yaml file
>>>>
>>>>
>>>> *CLIENT:*
>>>>
>>>>
>>>> public class ReporterClient {
>>>>
>>>> public static void main(String[] args) throws Exception {
>>>>
>>>> // Create gRPC stub.
>>>>
>>>> ReporterGrpc.ReporterBlockingStub reporterBlockingStub =
>>>> createReporterStub(host, port);
>>>>
>>>> getParams(reporterBlockingStub, domain, type, objectName, data);
>>>>
>>>> }
>>>>
>>>> // Send Request to Server
>>>>
>>>> public static void getParams(ReporterGrpc.ReporterBlockingStub
>>>> reporterBlockingStub,String domain, String type, String objectName,
>>>> String data) {
>>>>
>>>> GenerateReportRequest request = GenerateReportRequest.newBuilder
>>>> ().setDomain(domain).setType(type).setObjectName(objectName).setData(
>>>> data).build();
>>>>
>>>> GenerateReportResponse response = reporterBlockingStub.
>>>> generateReport(request);
>>>>
>>>> }
>>>>
>>>> // Version 1: Without scopes
>>>>
>>>> public static ReporterGrpc.ReporterBlockingStub createReporterStub(
>>>> String host, int port) throws Exception {
>>>>
>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port).
>>>> usePlaintext(true).build();
>>>>
>>>> GoogleCredentials googleCredentials = Environment.get().
>>>> computeEngineDefaultCredentials();
>>>>
>>>> return ReporterGrpc.newBlockingStub(channel)
>>>>
>>>> .withCallCredentials(MoreCallCredentials
>>>>
>>>> .from(googleCredentials));
>>>>
>>>> }
>>>>
>>>> // Version 2: With scopes
>>>>
>>>> public static ReporterGrpc.ReporterBlockingStub createReporterStubTry
>>>> (String host, int port) throws Exception {
>>>>
>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port).
>>>> usePlaintext(true).build();
>>>>
>>>> List<String> scopes = new ArrayList<>();
>>>>
>>>> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”);
>>>>
>>>> GoogleCredentials googleCredentials =
>>>> Environment.get().computeEngineDefaultCredentials().createScoped(scopes);
>>>>
>>>> return ReporterGrpc.newBlockingStub(channel)
>>>>
>>>> .withCallCredentials(MoreCallCredentials
>>>>
>>>> .from(googleCredentials));
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>>
>>>> *YAML File : API_CONFIG_AUTH.yaml:*
>>>>
>>>>
>>>> # Reporter gRPC API configuration.
>>>>
>>>> type: google.api.Service
>>>>
>>>> config_version: 3
>>>>
>>>> # Name of the service configuration.
>>>>
>>>> name: MY_SERVICE_CONFIGURATION_NAME
>>>>
>>>> # API title to appear in the user interface (Google Cloud Console).
>>>>
>>>> title: Reporter gRPC API
>>>>
>>>> apis:
>>>>
>>>> - name: reporter.Reporter
>>>>
>>>> # API usage restrictions.
>>>>
>>>> usage:
>>>>
>>>> rules:
>>>>
>>>> # GenerateReport method can be called without an API Key.
>>>>
>>>> - selector: reporter.Reporter.GenerateReport
>>>>
>>>> allow_unregistered_calls: true
>>>>
>>>> # Request authentication.
>>>>
>>>> authentication:
>>>>
>>>> providers:
>>>>
>>>> - id: google_service_account
>>>>
>>>> # Replace SERVICE-ACCOUNT-ID with your service account's email
>>>> address.
>>>>
>>>> issuer: MY_SERVICE_ACCOUNT_ID
>>>>
>>>> jwks_uri: https://
>>>> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID
>>>>
>>>> rules:
>>>>
>>>> # This auth rule will apply to all methods.
>>>>
>>>> - selector: "*"
>>>>
>>>> requirements:
>>>> - provider_id: google_service_account
>>>>
>>>>
>>>>
>>>> *// Error for Version 1: Without scopes*
>>>>
>>>>
>>>> Exception in thread "main" io.grpc.StatusRuntimeException:
>>>> PERMISSION_DENIED: JWT validation failed: Audience not allowed
>>>>
>>>> at
>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212)
>>>>
>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193)
>>>>
>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118)
>>>>
>>>>
>>>> *// Error for Version 2: With scopes*
>>>>
>>>>
>>>> Exception in thread "main" io.grpc.StatusRuntimeException:
>>>> UNAUTHENTICATED
>>>>
>>>> at
>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212)
>>>>
>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193)
>>>>
>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143)
>>>>
>>>> at
>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118)
>>>>
>>>> Caused by: java.io.IOException: Error parsing token refresh response.
>>>> Expected value access_token not found.
>>>>
>>>> at
>>>> com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116)
>>>>
>>>> at
>>>> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371)
>>>>
>>>> at
>>>> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
>>>>
>>>> at
>>>> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
>>>>
>>>> at
>>>> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95)
>>>>
>>>> at
>>>> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575)
>>>>
>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120)
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/8c165345-9ba0-4a8a-b30e-96689fff4fa8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
