Have you looked at the way its done in the tests here ? https://github.com/grpc/grpc-java/blob/master/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java#L243
and passing Attributes to callCredentials.applyRequestMetadata(method, attrs, executor, applier) ? If you still see issues, I think its worth reporting here : https://github.com/grpc/grpc-java/issues On Friday, August 25, 2017 at 6:07:16 AM UTC-7, julie wrote: > > I meant We did NOT expect the GoogleAuthLibraryCallCredentials.java to > overwrite the audience we set. > > > On Friday, August 25, 2017 at 3:02:37 PM UTC+2, julie wrote: >> >> Thanks a lot for your comments! >> >> >> *Update on the issue:* >> >> >> We have modified our Client to use ServiceAccountJwtAccessCredentials >> >> >> public static ReporterGrpc.ReporterBlockingStub createReporterStub(String >> host, int port) throws Exception { >> >> Channel channel = ManagedChannelBuilder.forAddress(host, port). >> usePlaintext(true).build(); >> >> ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials = >> Environment.get().computeEngineDefaultCredentials(); >> >> return ReporterGrpc.newBlockingStub(channel).withCallCredentials( >> >> new GoogleAuthLibraryCallCredentials( >> serviceAccountJwtAccessCredentials)); >> >> } >> >> >> >> It works but with a change in the class >> GoogleAuthLibraryCallCredentials.java , >> >> >> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java >> >> >> Currently the audience that is set by ServiceAccountJwtAccessCredentials >> is being overwritten by the above line: >> ReporterGrpc.*newBlockingStub*(channel).withCallCredentials(new >> GoogleAuthLibraryCallCredentials(serviceAccountJwtAccessCredentials)) >> >> >> So instead of the audience (SERVICE_CONFIGURATION_NAME) that we set, we >> are obtaining a string like : https://35.195.24.28:80/reporter.Reporter >> >> Which is being constructed by >> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L123 >> >> >> After we changed the uri passed to null at : >> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L98 >> , we were able to point to the right audience: >> >> >> Map<String, List<String>> metadata = creds.getRequestMetadata(uri) -> Map >> <String, List<String>> metadata = creds.getRequestMetadata(null) >> >> >> Now the ServiceAccountJwtAccessCredentials >> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252> >> picks >> up the right audience from this line: >> >> >> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L25 >> >> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252> >> 3 >> >> >> if (uri == null) { >> if (defaultAudience != null) { >> uri = defaultAudience; >> } else { >> …… >> } >> } >> >> >> >> Is this working as intended or did we miss something? We did expect the >> GoogleAuthLibraryCallCredentials.java to overwrite the audience we set. >> >> We were wondering whether ServiceAccountJwtAccessCredentials class is >> compatible with CallCredentials class or if there is another wrapper >> available to pass the ServiceAccountJwtAccessCredentials. >> >> >> >> >> >> On Thursday, August 24, 2017 at 10:27:31 PM UTC+2, [email protected] >> wrote: >>> >>> >>> If you require setting the JWT as an authorization Bearer token in your >>> request for a given audience, ServiceAccountJwtAccessCredentials is useful. >>> >>> The JWT that is created from ServiceAccountCredentials >>> >>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L494 >>> >>> : is targeted to creating a JWT that can be provided to retrieve a Google >>> ID Token(https://developers.google.com/identity/protocols/OpenIDConnect >>> ). >>> >>> On Thursday, August 24, 2017 at 1:17:55 PM UTC-7, [email protected] >>> wrote: >>>> >>>> >>>> that's really great to know to use ServiceAccountJwtAccessCredentials. >>>> but may I ask what's the major diffs >>>> between ServiceAccountJwtAccessCredentials and ServiceAccountCredentials. >>>> and in which case we should use ServiceAccountCredentials? >>>> >>>> Thanks, >>>> Jun >>>> >>>> On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected] >>>> wrote: >>>>> >>>>> https://github.com/google/google-auth-library-java >>>>> <https://github.com/google/google-auth-library-java> >>>>> provides a ServiceAccountJwtAccessCredentials you can use. >>>>> >>>>> >>>>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204 >>>>> >>>>> The jwt authorization header is set with this method : >>>>> >>>>> https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252 >>>>> >>>>> >>>>> On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote: >>>>>> >>>>>> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC >>>>>> working with an OAuth2.0 authentication provider using GoogleCredentials >>>>>> >>>>>> >>>>>> I followed the steps in this tutorial and could make an authenticated >>>>>> request by generating the jwt token and setting the audience and issuer >>>>>> etc >>>>>> >>>>>> >>>>>> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call >>>>>> >>>>>> >>>>>> But we need to use GoogleCredentials for authentication and I have >>>>>> tried making the client request in several ways but it did not work out >>>>>> >>>>>> Below is the relevant piece of my Client code along with my >>>>>> api_config_auth.yaml file >>>>>> >>>>>> >>>>>> *CLIENT:* >>>>>> >>>>>> >>>>>> public class ReporterClient { >>>>>> >>>>>> public static void main(String[] args) throws Exception { >>>>>> >>>>>> // Create gRPC stub. >>>>>> >>>>>> ReporterGrpc.ReporterBlockingStub reporterBlockingStub = >>>>>> createReporterStub(host, port); >>>>>> >>>>>> getParams(reporterBlockingStub, domain, type, objectName, data); >>>>>> >>>>>> } >>>>>> >>>>>> // Send Request to Server >>>>>> >>>>>> public static void getParams(ReporterGrpc.ReporterBlockingStub >>>>>> reporterBlockingStub,String domain, String type, String objectName, >>>>>> String data) { >>>>>> >>>>>> GenerateReportRequest request = GenerateReportRequest.newBuilder >>>>>> ().setDomain(domain).setType(type).setObjectName(objectName).setData( >>>>>> data).build(); >>>>>> >>>>>> GenerateReportResponse response = reporterBlockingStub. >>>>>> generateReport(request); >>>>>> >>>>>> } >>>>>> >>>>>> // Version 1: Without scopes >>>>>> >>>>>> public static ReporterGrpc.ReporterBlockingStub createReporterStub( >>>>>> String host, int port) throws Exception { >>>>>> >>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>>>>> usePlaintext(true).build(); >>>>>> >>>>>> GoogleCredentials googleCredentials = Environment.get(). >>>>>> computeEngineDefaultCredentials(); >>>>>> >>>>>> return ReporterGrpc.newBlockingStub(channel) >>>>>> >>>>>> .withCallCredentials(MoreCallCredentials >>>>>> >>>>>> .from(googleCredentials)); >>>>>> >>>>>> } >>>>>> >>>>>> // Version 2: With scopes >>>>>> >>>>>> public static ReporterGrpc.ReporterBlockingStub >>>>>> createReporterStubTry(String host, int port) throws Exception { >>>>>> >>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>>>>> usePlaintext(true).build(); >>>>>> >>>>>> List<String> scopes = new ArrayList<>(); >>>>>> >>>>>> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”); >>>>>> >>>>>> GoogleCredentials googleCredentials = >>>>>> Environment.get().computeEngineDefaultCredentials().createScoped(scopes); >>>>>> >>>>>> return ReporterGrpc.newBlockingStub(channel) >>>>>> >>>>>> .withCallCredentials(MoreCallCredentials >>>>>> >>>>>> .from(googleCredentials)); >>>>>> } >>>>>> >>>>>> } >>>>>> >>>>>> >>>>>> >>>>>> *YAML File : API_CONFIG_AUTH.yaml:* >>>>>> >>>>>> >>>>>> # Reporter gRPC API configuration. >>>>>> >>>>>> type: google.api.Service >>>>>> >>>>>> config_version: 3 >>>>>> >>>>>> # Name of the service configuration. >>>>>> >>>>>> name: MY_SERVICE_CONFIGURATION_NAME >>>>>> >>>>>> # API title to appear in the user interface (Google Cloud Console). >>>>>> >>>>>> title: Reporter gRPC API >>>>>> >>>>>> apis: >>>>>> >>>>>> - name: reporter.Reporter >>>>>> >>>>>> # API usage restrictions. >>>>>> >>>>>> usage: >>>>>> >>>>>> rules: >>>>>> >>>>>> # GenerateReport method can be called without an API Key. >>>>>> >>>>>> - selector: reporter.Reporter.GenerateReport >>>>>> >>>>>> allow_unregistered_calls: true >>>>>> >>>>>> # Request authentication. >>>>>> >>>>>> authentication: >>>>>> >>>>>> providers: >>>>>> >>>>>> - id: google_service_account >>>>>> >>>>>> # Replace SERVICE-ACCOUNT-ID with your service account's email >>>>>> address. >>>>>> >>>>>> issuer: MY_SERVICE_ACCOUNT_ID >>>>>> >>>>>> jwks_uri: https:// >>>>>> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID >>>>>> >>>>>> rules: >>>>>> >>>>>> # This auth rule will apply to all methods. >>>>>> >>>>>> - selector: "*" >>>>>> >>>>>> requirements: >>>>>> - provider_id: google_service_account >>>>>> >>>>>> >>>>>> >>>>>> *// Error for Version 1: Without scopes* >>>>>> >>>>>> >>>>>> Exception in thread "main" io.grpc.StatusRuntimeException: >>>>>> PERMISSION_DENIED: JWT validation failed: Audience not allowed >>>>>> >>>>>> at >>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>>>>> >>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>>>>> >>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>>>>> >>>>>> >>>>>> *// Error for Version 2: With scopes* >>>>>> >>>>>> >>>>>> Exception in thread "main" io.grpc.StatusRuntimeException: >>>>>> UNAUTHENTICATED >>>>>> >>>>>> at >>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>>>>> >>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>>>>> >>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>>>>> >>>>>> at >>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>>>>> >>>>>> Caused by: java.io.IOException: Error parsing token refresh response. >>>>>> Expected value access_token not found. >>>>>> >>>>>> at >>>>>> com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116) >>>>>> >>>>>> at >>>>>> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371) >>>>>> >>>>>> at >>>>>> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149) >>>>>> >>>>>> at >>>>>> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135) >>>>>> >>>>>> at >>>>>> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95) >>>>>> >>>>>> at >>>>>> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575) >>>>>> >>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120) >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/4e5a656d-60ff-47a3-9dcb-e4800d1ef835%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
