I meant We did NOT expect the GoogleAuthLibraryCallCredentials.java to
overwrite the audience we set.
On Friday, August 25, 2017 at 3:02:37 PM UTC+2, julie wrote:
>
> Thanks a lot for your comments!
>
>
> *Update on the issue:*
>
>
> We have modified our Client to use ServiceAccountJwtAccessCredentials
>
>
> public static ReporterGrpc.ReporterBlockingStub createReporterStub(String
> host, int port) throws Exception {
>
> Channel channel = ManagedChannelBuilder.forAddress(host, port).
> usePlaintext(true).build();
>
> ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials =
> Environment.get().computeEngineDefaultCredentials();
>
> return ReporterGrpc.newBlockingStub(channel).withCallCredentials(
>
> new GoogleAuthLibraryCallCredentials(
> serviceAccountJwtAccessCredentials));
>
> }
>
>
>
> It works but with a change in the class
> GoogleAuthLibraryCallCredentials.java ,
>
>
> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java
>
>
> Currently the audience that is set by ServiceAccountJwtAccessCredentials
> is being overwritten by the above line:
> ReporterGrpc.*newBlockingStub*(channel).withCallCredentials(new
> GoogleAuthLibraryCallCredentials(serviceAccountJwtAccessCredentials))
>
>
> So instead of the audience (SERVICE_CONFIGURATION_NAME) that we set, we
> are obtaining a string like : https://35.195.24.28:80/reporter.Reporter
>
> Which is being constructed by
> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L123
>
>
> After we changed the uri passed to null at :
> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L98
> , we were able to point to the right audience:
>
>
> Map<String, List<String>> metadata = creds.getRequestMetadata(uri) -> Map<
> String, List<String>> metadata = creds.getRequestMetadata(null)
>
>
> Now the ServiceAccountJwtAccessCredentials
> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252>
> picks
> up the right audience from this line:
>
>
> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L25
>
> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252>
> 3
>
>
> if (uri == null) {
> if (defaultAudience != null) {
> uri = defaultAudience;
> } else {
> ……
> }
> }
>
>
>
> Is this working as intended or did we miss something? We did expect the
> GoogleAuthLibraryCallCredentials.java to overwrite the audience we set.
>
> We were wondering whether ServiceAccountJwtAccessCredentials class is
> compatible with CallCredentials class or if there is another wrapper
> available to pass the ServiceAccountJwtAccessCredentials.
>
>
>
>
>
> On Thursday, August 24, 2017 at 10:27:31 PM UTC+2, [email protected]
> wrote:
>>
>>
>> If you require setting the JWT as an authorization Bearer token in your
>> request for a given audience, ServiceAccountJwtAccessCredentials is useful.
>>
>> The JWT that is created from ServiceAccountCredentials
>>
>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L494
>>
>> : is targeted to creating a JWT that can be provided to retrieve a Google
>> ID Token(https://developers.google.com/identity/protocols/OpenIDConnect
>> ).
>>
>> On Thursday, August 24, 2017 at 1:17:55 PM UTC-7, [email protected]
>> wrote:
>>>
>>>
>>> that's really great to know to use ServiceAccountJwtAccessCredentials.
>>> but may I ask what's the major diffs
>>> between ServiceAccountJwtAccessCredentials and ServiceAccountCredentials.
>>> and in which case we should use ServiceAccountCredentials?
>>>
>>> Thanks,
>>> Jun
>>>
>>> On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected]
>>> wrote:
>>>>
>>>> https://github.com/google/google-auth-library-java
>>>> <https://github.com/google/google-auth-library-java>
>>>> provides a ServiceAccountJwtAccessCredentials you can use.
>>>>
>>>>
>>>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204
>>>>
>>>> The jwt authorization header is set with this method :
>>>>
>>>> https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252
>>>>
>>>>
>>>> On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote:
>>>>>
>>>>> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC
>>>>> working with an OAuth2.0 authentication provider using GoogleCredentials
>>>>>
>>>>>
>>>>> I followed the steps in this tutorial and could make an authenticated
>>>>> request by generating the jwt token and setting the audience and issuer
>>>>> etc
>>>>>
>>>>>
>>>>> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call
>>>>>
>>>>>
>>>>> But we need to use GoogleCredentials for authentication and I have
>>>>> tried making the client request in several ways but it did not work out
>>>>>
>>>>> Below is the relevant piece of my Client code along with my
>>>>> api_config_auth.yaml file
>>>>>
>>>>>
>>>>> *CLIENT:*
>>>>>
>>>>>
>>>>> public class ReporterClient {
>>>>>
>>>>> public static void main(String[] args) throws Exception {
>>>>>
>>>>> // Create gRPC stub.
>>>>>
>>>>> ReporterGrpc.ReporterBlockingStub reporterBlockingStub =
>>>>> createReporterStub(host, port);
>>>>>
>>>>> getParams(reporterBlockingStub, domain, type, objectName, data);
>>>>>
>>>>> }
>>>>>
>>>>> // Send Request to Server
>>>>>
>>>>> public static void getParams(ReporterGrpc.ReporterBlockingStub
>>>>> reporterBlockingStub,String domain, String type, String objectName,
>>>>> String data) {
>>>>>
>>>>> GenerateReportRequest request = GenerateReportRequest.newBuilder
>>>>> ().setDomain(domain).setType(type).setObjectName(objectName).setData(
>>>>> data).build();
>>>>>
>>>>> GenerateReportResponse response = reporterBlockingStub.
>>>>> generateReport(request);
>>>>>
>>>>> }
>>>>>
>>>>> // Version 1: Without scopes
>>>>>
>>>>> public static ReporterGrpc.ReporterBlockingStub createReporterStub(
>>>>> String host, int port) throws Exception {
>>>>>
>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port).
>>>>> usePlaintext(true).build();
>>>>>
>>>>> GoogleCredentials googleCredentials = Environment.get().
>>>>> computeEngineDefaultCredentials();
>>>>>
>>>>> return ReporterGrpc.newBlockingStub(channel)
>>>>>
>>>>> .withCallCredentials(MoreCallCredentials
>>>>>
>>>>> .from(googleCredentials));
>>>>>
>>>>> }
>>>>>
>>>>> // Version 2: With scopes
>>>>>
>>>>> public static ReporterGrpc.ReporterBlockingStub
>>>>> createReporterStubTry(String host, int port) throws Exception {
>>>>>
>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port).
>>>>> usePlaintext(true).build();
>>>>>
>>>>> List<String> scopes = new ArrayList<>();
>>>>>
>>>>> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”);
>>>>>
>>>>> GoogleCredentials googleCredentials =
>>>>> Environment.get().computeEngineDefaultCredentials().createScoped(scopes);
>>>>>
>>>>> return ReporterGrpc.newBlockingStub(channel)
>>>>>
>>>>> .withCallCredentials(MoreCallCredentials
>>>>>
>>>>> .from(googleCredentials));
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> *YAML File : API_CONFIG_AUTH.yaml:*
>>>>>
>>>>>
>>>>> # Reporter gRPC API configuration.
>>>>>
>>>>> type: google.api.Service
>>>>>
>>>>> config_version: 3
>>>>>
>>>>> # Name of the service configuration.
>>>>>
>>>>> name: MY_SERVICE_CONFIGURATION_NAME
>>>>>
>>>>> # API title to appear in the user interface (Google Cloud Console).
>>>>>
>>>>> title: Reporter gRPC API
>>>>>
>>>>> apis:
>>>>>
>>>>> - name: reporter.Reporter
>>>>>
>>>>> # API usage restrictions.
>>>>>
>>>>> usage:
>>>>>
>>>>> rules:
>>>>>
>>>>> # GenerateReport method can be called without an API Key.
>>>>>
>>>>> - selector: reporter.Reporter.GenerateReport
>>>>>
>>>>> allow_unregistered_calls: true
>>>>>
>>>>> # Request authentication.
>>>>>
>>>>> authentication:
>>>>>
>>>>> providers:
>>>>>
>>>>> - id: google_service_account
>>>>>
>>>>> # Replace SERVICE-ACCOUNT-ID with your service account's email
>>>>> address.
>>>>>
>>>>> issuer: MY_SERVICE_ACCOUNT_ID
>>>>>
>>>>> jwks_uri: https://
>>>>> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID
>>>>>
>>>>> rules:
>>>>>
>>>>> # This auth rule will apply to all methods.
>>>>>
>>>>> - selector: "*"
>>>>>
>>>>> requirements:
>>>>> - provider_id: google_service_account
>>>>>
>>>>>
>>>>>
>>>>> *// Error for Version 1: Without scopes*
>>>>>
>>>>>
>>>>> Exception in thread "main" io.grpc.StatusRuntimeException:
>>>>> PERMISSION_DENIED: JWT validation failed: Audience not allowed
>>>>>
>>>>> at
>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212)
>>>>>
>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193)
>>>>>
>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118)
>>>>>
>>>>>
>>>>> *// Error for Version 2: With scopes*
>>>>>
>>>>>
>>>>> Exception in thread "main" io.grpc.StatusRuntimeException:
>>>>> UNAUTHENTICATED
>>>>>
>>>>> at
>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212)
>>>>>
>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193)
>>>>>
>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143)
>>>>>
>>>>> at
>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118)
>>>>>
>>>>> Caused by: java.io.IOException: Error parsing token refresh response.
>>>>> Expected value access_token not found.
>>>>>
>>>>> at
>>>>> com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116)
>>>>>
>>>>> at
>>>>> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371)
>>>>>
>>>>> at
>>>>> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
>>>>>
>>>>> at
>>>>> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
>>>>>
>>>>> at
>>>>> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95)
>>>>>
>>>>> at
>>>>> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575)
>>>>>
>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120)
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/41b65a1c-9ca2-410d-987c-af49f053e55a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
