"version 1" was already likely using JWT. gRPC's MoreCallCredentials.from() tries to convert any ServiceAccountCredentials to a ServiceAccountJwtAccessCredentials. This is possible as long as there aren't scopes set.
"version 1"'s failure of "PERMISSION_DENIED: JWT validation failed: Audience not allowed" looks like it came from the remote server. It didn't like the JWT for some reason. "version 2"'s "Error parsing token refresh response. Expected value access_token not found." failed locally while trying to obtain an OAuth access token. It wasn't even able to send a request to the OAuth server. Based on another part of this thread I think I see what is wrong, but I'll reply directly to that email. On Thu, Aug 24, 2017 at 12:49 PM, jishaa via grpc.io < [email protected]> wrote: > https://github.com/google/google-auth-library-java > <https://github.com/google/google-auth-library-java> > provides a ServiceAccountJwtAccessCredentials you can use. > > https://github.com/google/google-auth-library-java/blob/ > master/oauth2_http/java/com/google/auth/oauth2/ > ServiceAccountJwtAccessCredentials.java#L204 > > The jwt authorization header is set with this method : > https://github.com/google/google-auth-library-java/blob/ > 0d27d88798b299a4eda987171f34292cec73ec6c/oauth2_http/java/ > com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java#L252 > > > On Thursday, August 24, 2017 at 10:50:06 AM UTC-7, julie wrote: >> >> Hi, I'm trying to get my Google Cloud Endpoints project with gRPC working >> with an OAuth2.0 authentication provider using GoogleCredentials >> >> >> I followed the steps in this tutorial and could make an authenticated >> request by generating the jwt token and setting the audience and issuer etc >> >> https://cloud.google.com/endpoints/docs/using-service-to- >> service-authentication-grpc#make_an_authenticated_grpc_call >> >> >> But we need to use GoogleCredentials for authentication and I have tried >> making the client request in several ways but it did not work out >> >> Below is the relevant piece of my Client code along with my >> api_config_auth.yaml file >> >> >> *CLIENT:* >> >> >> public class ReporterClient { >> >> public static void main(String[] args) throws Exception { >> >> // Create gRPC stub. >> >> ReporterGrpc.ReporterBlockingStub reporterBlockingStub = >> createReporterStub(host, port); >> >> getParams(reporterBlockingStub, domain, type, objectName, data); >> >> } >> >> // Send Request to Server >> >> public static void getParams(ReporterGrpc.ReporterBlockingStub >> reporterBlockingStub,String domain, String type, String objectName, >> String data) { >> >> GenerateReportRequest request = GenerateReportRequest.newBuilder(). >> setDomain(domain).setType(type).setObjectName(objectName).setData(data). >> build(); >> >> GenerateReportResponse response = reporterBlockingStub.generateReport >> (request); >> >> } >> >> // Version 1: Without scopes >> >> public static ReporterGrpc.ReporterBlockingStub createReporterStub( >> String host, int port) throws Exception { >> >> Channel channel = ManagedChannelBuilder.forAddress(host, port). >> usePlaintext(true).build(); >> >> GoogleCredentials googleCredentials = Environment.get().computeEngin >> eDefaultCredentials(); >> >> return ReporterGrpc.newBlockingStub(channel) >> >> .withCallCredentials(MoreCallCredentials >> >> .from(googleCredentials)); >> >> } >> >> // Version 2: With scopes >> >> public static ReporterGrpc.ReporterBlockingStub createReporterStubTry( >> String host, int port) throws Exception { >> >> Channel channel = ManagedChannelBuilder.forAddress(host, port). >> usePlaintext(true).build(); >> >> List<String> scopes = new ArrayList<>(); >> >> scopes.add("https://MY_SERVICE_CONFIGURATION_NAME”); >> >> GoogleCredentials googleCredentials = Environment.get().computeEngin >> eDefaultCredentials().createScoped(scopes); >> >> return ReporterGrpc.newBlockingStub(channel) >> >> .withCallCredentials(MoreCallCredentials >> >> .from(googleCredentials)); >> } >> >> } >> >> >> >> *YAML File : API_CONFIG_AUTH.yaml:* >> >> >> # Reporter gRPC API configuration. >> >> type: google.api.Service >> >> config_version: 3 >> >> # Name of the service configuration. >> >> name: MY_SERVICE_CONFIGURATION_NAME >> >> # API title to appear in the user interface (Google Cloud Console). >> >> title: Reporter gRPC API >> >> apis: >> >> - name: reporter.Reporter >> >> # API usage restrictions. >> >> usage: >> >> rules: >> >> # GenerateReport method can be called without an API Key. >> >> - selector: reporter.Reporter.GenerateReport >> >> allow_unregistered_calls: true >> >> # Request authentication. >> >> authentication: >> >> providers: >> >> - id: google_service_account >> >> # Replace SERVICE-ACCOUNT-ID with your service account's email >> address. >> >> issuer: MY_SERVICE_ACCOUNT_ID >> >> jwks_uri: https://www.googleapis.com/rob >> ot/v1/metadata/x509/MY_SERVICE_ACCOUNT_ID >> >> rules: >> >> # This auth rule will apply to all methods. >> >> - selector: "*" >> >> requirements: >> - provider_id: google_service_account >> >> >> >> *// Error for Version 1: Without scopes* >> >> >> Exception in thread "main" io.grpc.StatusRuntimeException: >> PERMISSION_DENIED: JWT validation failed: Audience not allowed >> >> at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCall >> s.java:212) >> >> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterGrpc$Report >> erBlockingStub.generateReport(ReporterGrpc.java:138) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterClient. >> getParams(ReporterClient.java:143) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterClient. >> main(ReporterClient.java:118) >> >> >> *// Error for Version 2: With scopes* >> >> >> Exception in thread "main" io.grpc.StatusRuntimeException: >> UNAUTHENTICATED >> >> at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCall >> s.java:212) >> >> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:193) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:126) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterGrpc$Report >> erBlockingStub.generateReport(ReporterGrpc.java:138) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterClient. >> getParams(ReporterClient.java:143) >> >> at com.soliduslink.vault.reporter.endpoints.ReporterClient. >> main(ReporterClient.java:118) >> >> Caused by: java.io.IOException: Error parsing token refresh response. >> Expected value access_token not found. >> >> at com.google.auth.oauth2.OAuth2Utils.validateString(OAuth2Util >> s.java:116) >> >> at com.google.auth.oauth2.ServiceAccountCredentials.refreshAcce >> ssToken(ServiceAccountCredentials.java:371) >> >> at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Crede >> ntials.java:149) >> >> at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata( >> OAuth2Credentials.java:135) >> >> at io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAu >> thLibraryCallCredentials.java:95) >> >> at io.grpc.stub.ClientCalls$ThreadlessExecutor.waitAndDrain( >> ClientCalls.java:575) >> >> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:120) >> > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/grpc-io. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/grpc-io/7d00a112-24e1-43ef-b50e-671204014601%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/7d00a112-24e1-43ef-b50e-671204014601%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oPaSfBHHejZ7oqvhmAQJdn2Nu%2B9tkYUyU-ngWoXjAmgfA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
