Hi Btw, would it be possible to have the gRPC client on AppEngine? ManagedChannelBuilder is not supported in AppEngine restricted environment. We're wondering if https://cloud.google.com/endpoints/docs/grpc/transcoding is the right way to go. something like we build a HTTP/JSON request on AppEngine to call a gRPC backend.
Thanks, Jun On Friday, August 25, 2017 at 11:09:06 PM UTC+2, [email protected] wrote: > > > Have you looked at the way its done in the tests here ? > > https://github.com/grpc/grpc-java/blob/master/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java#L243 > > and passing Attributes to callCredentials.applyRequestMetadata(method, > attrs, executor, applier) ? > > If you still see issues, I think its worth reporting here : > https://github.com/grpc/grpc-java/issues > > On Friday, August 25, 2017 at 6:07:16 AM UTC-7, julie wrote: >> >> I meant We did NOT expect the GoogleAuthLibraryCallCredentials.java to >> overwrite the audience we set. >> >> >> On Friday, August 25, 2017 at 3:02:37 PM UTC+2, julie wrote: >>> >>> Thanks a lot for your comments! >>> >>> >>> *Update on the issue:* >>> >>> >>> We have modified our Client to use ServiceAccountJwtAccessCredentials >>> >>> >>> public static ReporterGrpc.ReporterBlockingStub createReporterStub( >>> String host, int port) throws Exception { >>> >>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>> usePlaintext(true).build(); >>> >>> ServiceAccountJwtAccessCredentials serviceAccountJwtAccessCredentials >>> = Environment.get().computeEngineDefaultCredentials(); >>> >>> return ReporterGrpc.newBlockingStub(channel).withCallCredentials( >>> >>> new GoogleAuthLibraryCallCredentials( >>> serviceAccountJwtAccessCredentials)); >>> >>> } >>> >>> >>> >>> It works but with a change in the class >>> GoogleAuthLibraryCallCredentials.java , >>> >>> >>> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java >>> >>> >>> Currently the audience that is set by ServiceAccountJwtAccessCredentials >>> is being overwritten by the above line: >>> ReporterGrpc.*newBlockingStub*(channel).withCallCredentials(new >>> GoogleAuthLibraryCallCredentials(serviceAccountJwtAccessCredentials)) >>> >>> >>> So instead of the audience (SERVICE_CONFIGURATION_NAME) that we set, we >>> are obtaining a string like : https://35.195.24.28:80/reporter.Reporter >>> >>> Which is being constructed by >>> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L123 >>> >>> >>> After we changed the uri passed to null at : >>> https://github.com/grpc/grpc-java/blob/master/auth/src/main/java/io/grpc/auth/GoogleAuthLibraryCallCredentials.java#L98 >>> , we were able to point to the right audience: >>> >>> >>> Map<String, List<String>> metadata = creds.getRequestMetadata(uri) -> >>> Map<String, List<String>> metadata = creds.getRequestMetadata(null) >>> >>> >>> Now the ServiceAccountJwtAccessCredentials >>> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252> >>> picks >>> up the right audience from this line: >>> >>> >>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L25 >>> >>> <https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252> >>> 3 >>> >>> >>> if (uri == null) { >>> if (defaultAudience != null) { >>> uri = defaultAudience; >>> } else { >>> …… >>> } >>> } >>> >>> >>> >>> Is this working as intended or did we miss something? We did expect the >>> GoogleAuthLibraryCallCredentials.java to overwrite the audience we set. >>> >>> We were wondering whether ServiceAccountJwtAccessCredentials class is >>> compatible with CallCredentials class or if there is another wrapper >>> available to pass the ServiceAccountJwtAccessCredentials. >>> >>> >>> >>> >>> >>> On Thursday, August 24, 2017 at 10:27:31 PM UTC+2, [email protected] >>> wrote: >>>> >>>> >>>> If you require setting the JWT as an authorization Bearer token in your >>>> request for a given audience, ServiceAccountJwtAccessCredentials is >>>> useful. >>>> >>>> The JWT that is created from ServiceAccountCredentials >>>> >>>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L494 >>>> >>>> : is targeted to creating a JWT that can be provided to retrieve a Google >>>> ID Token(https://developers.google.com/identity/protocols/OpenIDConnect >>>> ). >>>> >>>> On Thursday, August 24, 2017 at 1:17:55 PM UTC-7, [email protected] >>>> wrote: >>>>> >>>>> >>>>> that's really great to know to use ServiceAccountJwtAccessCredentials. >>>>> but may I ask what's the major diffs >>>>> between ServiceAccountJwtAccessCredentials and ServiceAccountCredentials. >>>>> and in which case we should use ServiceAccountCredentials? >>>>> >>>>> Thanks, >>>>> Jun >>>>> >>>>> On Thursday, August 24, 2017 at 9:49:33 PM UTC+2, [email protected] >>>>> wrote: >>>>>> >>>>>> https://github.com/google/google-auth-library-java >>>>>> <https://github.com/google/google-auth-library-java> >>>>>> provides a ServiceAccountJwtAccessCredentials you can use. >>>>>> >>>>>> >>>>>> https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L204 >>>>>> >>>>>> The jwt authorization header is set with this method : >>>>>> >>>>>> https://github.com/google/google-auth-library-java/blob/0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252 >>>>>> >>>>>> >>>>>> On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote: >>>>>>> >>>>>>> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC >>>>>>> working with an OAuth2.0 authentication provider using GoogleCredentials >>>>>>> >>>>>>> >>>>>>> I followed the steps in this tutorial and could make an >>>>>>> authenticated request by generating the jwt token and setting the >>>>>>> audience >>>>>>> and issuer etc >>>>>>> >>>>>>> >>>>>>> https://cloud.google.com/endpoints/docs/using-service-to-service-authentication-grpc#make_an_authenticated_grpc_call >>>>>>> >>>>>>> >>>>>>> But we need to use GoogleCredentials for authentication and I have >>>>>>> tried making the client request in several ways but it did not work out >>>>>>> >>>>>>> Below is the relevant piece of my Client code along with my >>>>>>> api_config_auth.yaml file >>>>>>> >>>>>>> >>>>>>> *CLIENT:* >>>>>>> >>>>>>> >>>>>>> public class ReporterClient { >>>>>>> >>>>>>> public static void main(String[] args) throws Exception { >>>>>>> >>>>>>> // Create gRPC stub. >>>>>>> >>>>>>> ReporterGrpc.ReporterBlockingStub reporterBlockingStub = >>>>>>> createReporterStub(host, port); >>>>>>> >>>>>>> getParams(reporterBlockingStub, domain, type, objectName, data); >>>>>>> >>>>>>> } >>>>>>> >>>>>>> // Send Request to Server >>>>>>> >>>>>>> public static void getParams(ReporterGrpc.ReporterBlockingStub >>>>>>> reporterBlockingStub,String domain, String type, String objectName, >>>>>>> String data) { >>>>>>> >>>>>>> GenerateReportRequest request = GenerateReportRequest. >>>>>>> newBuilder().setDomain(domain).setType(type).setObjectName( >>>>>>> objectName).setData(data).build(); >>>>>>> >>>>>>> GenerateReportResponse response = reporterBlockingStub. >>>>>>> generateReport(request); >>>>>>> >>>>>>> } >>>>>>> >>>>>>> // Version 1: Without scopes >>>>>>> >>>>>>> public static ReporterGrpc.ReporterBlockingStub createReporterStub >>>>>>> (String host, int port) throws Exception { >>>>>>> >>>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>>>>>> usePlaintext(true).build(); >>>>>>> >>>>>>> GoogleCredentials googleCredentials = Environment.get(). >>>>>>> computeEngineDefaultCredentials(); >>>>>>> >>>>>>> return ReporterGrpc.newBlockingStub(channel) >>>>>>> >>>>>>> .withCallCredentials(MoreCallCredentials >>>>>>> >>>>>>> .from(googleCredentials)); >>>>>>> >>>>>>> } >>>>>>> >>>>>>> // Version 2: With scopes >>>>>>> >>>>>>> public static ReporterGrpc.ReporterBlockingStub >>>>>>> createReporterStubTry(String host, int port) throws Exception { >>>>>>> >>>>>>> Channel channel = ManagedChannelBuilder.forAddress(host, port). >>>>>>> usePlaintext(true).build(); >>>>>>> >>>>>>> List<String> scopes = new ArrayList<>(); >>>>>>> >>>>>>> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”); >>>>>>> >>>>>>> GoogleCredentials googleCredentials = >>>>>>> Environment.get().computeEngineDefaultCredentials().createScoped(scopes); >>>>>>> >>>>>>> return ReporterGrpc.newBlockingStub(channel) >>>>>>> >>>>>>> .withCallCredentials(MoreCallCredentials >>>>>>> >>>>>>> .from(googleCredentials)); >>>>>>> } >>>>>>> >>>>>>> } >>>>>>> >>>>>>> >>>>>>> >>>>>>> *YAML File : API_CONFIG_AUTH.yaml:* >>>>>>> >>>>>>> >>>>>>> # Reporter gRPC API configuration. >>>>>>> >>>>>>> type: google.api.Service >>>>>>> >>>>>>> config_version: 3 >>>>>>> >>>>>>> # Name of the service configuration. >>>>>>> >>>>>>> name: MY_SERVICE_CONFIGURATION_NAME >>>>>>> >>>>>>> # API title to appear in the user interface (Google Cloud Console). >>>>>>> >>>>>>> title: Reporter gRPC API >>>>>>> >>>>>>> apis: >>>>>>> >>>>>>> - name: reporter.Reporter >>>>>>> >>>>>>> # API usage restrictions. >>>>>>> >>>>>>> usage: >>>>>>> >>>>>>> rules: >>>>>>> >>>>>>> # GenerateReport method can be called without an API Key. >>>>>>> >>>>>>> - selector: reporter.Reporter.GenerateReport >>>>>>> >>>>>>> allow_unregistered_calls: true >>>>>>> >>>>>>> # Request authentication. >>>>>>> >>>>>>> authentication: >>>>>>> >>>>>>> providers: >>>>>>> >>>>>>> - id: google_service_account >>>>>>> >>>>>>> # Replace SERVICE-ACCOUNT-ID with your service account's email >>>>>>> address. >>>>>>> >>>>>>> issuer: MY_SERVICE_ACCOUNT_ID >>>>>>> >>>>>>> jwks_uri: https:// >>>>>>> www.googleapis.com/robot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID >>>>>>> >>>>>>> rules: >>>>>>> >>>>>>> # This auth rule will apply to all methods. >>>>>>> >>>>>>> - selector: "*" >>>>>>> >>>>>>> requirements: >>>>>>> - provider_id: google_service_account >>>>>>> >>>>>>> >>>>>>> >>>>>>> *// Error for Version 1: Without scopes* >>>>>>> >>>>>>> >>>>>>> Exception in thread "main" io.grpc.StatusRuntimeException: >>>>>>> PERMISSION_DENIED: JWT validation failed: Audience not allowed >>>>>>> >>>>>>> at >>>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>>>>>> >>>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>>>>>> >>>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>>>>>> >>>>>>> >>>>>>> *// Error for Version 2: With scopes* >>>>>>> >>>>>>> >>>>>>> Exception in thread "main" io.grpc.StatusRuntimeException: >>>>>>> UNAUTHENTICATED >>>>>>> >>>>>>> at >>>>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:212) >>>>>>> >>>>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >>>>>>> >>>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterGrpc$ReporterBlockingStub.generateReport(ReporterGrpc.java:138) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.getParams(ReporterClient.java:143) >>>>>>> >>>>>>> at >>>>>>> com.soliduslink.vault.reporter.endpoints.ReporterClient.main(ReporterClient.java:118) >>>>>>> >>>>>>> Caused by: java.io.IOException: Error parsing token refresh >>>>>>> response. Expected value access_token not found. >>>>>>> >>>>>>> at >>>>>>> com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Utils.java:116) >>>>>>> >>>>>>> at >>>>>>> com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:371) >>>>>>> >>>>>>> at >>>>>>> com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149) >>>>>>> >>>>>>> at >>>>>>> com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135) >>>>>>> >>>>>>> at >>>>>>> io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:95) >>>>>>> >>>>>>> at >>>>>>> io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain(ClientCalls.java:575) >>>>>>> >>>>>>> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120) >>>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/b6b5ec56-bcca-47b5-a37f-83b7c3a35ee0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
