Skip to content

google.api.Service config seems to require an audience to avoid JWT validation errors #6077

New issue
New issue
Open
Open
google.api.Service config seems to require an audience to avoid JWT validation errors#6077
Assignees
dandhlee
Labels
api: authIssues related to the Google Authentication APIsamplesIssues that are directly related to samples.type: processA process-related concern. May include testing, release, or the like.
@thomasmburke

Description

@thomasmburke
thomasmburke
opened on Jun 2, 2021

In which file did you encounter the issue?

Did you change the file? If so, how?

Yes, in the following section of the files:

#
# Request authentication.
#
authentication:
  providers:
  - id: google_service_account
    # Replace SERVICE-ACCOUNT-ID with your service account's email address.
    issuer: SERVICE-ACCOUNT-ID
    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE-ACCOUNT-ID
  rules:
  # This auth rule will apply to all methods.
  - selector: "*"
    requirements:
      - provider_id: google_service_account

I added an audience field to the config:

#
# Request authentication.
#
authentication:
  providers:
  - id: google_service_account
    # Replace SERVICE-ACCOUNT-ID with your service account's email address.
    issuer: SERVICE-ACCOUNT-ID
    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE-ACCOUNT-ID
    audiences: DEFAULT_HOSTNAME
  rules:
  # This auth rule will apply to all methods.
  - selector: "*"
    requirements:
      - provider_id: google_service_account

Describe the issue

When using current api_config_auth.yaml for service-account JWT authentication I continued to get "{"message":"Audiences in Jwt are not allowed","code":403}". This error was present regardless of whether the JWT I passed had an audience. I used jwt_token_gen.py to generate the JWTs to pass when reaching out to the api python3 bookstore_client.py --auth_token JWT_TOKEN --host= DEFAULT_HOSTNAME --port 443 --use_tls true.

To generate a JWT without an audience field I commented out the 'aud' portion of the payload in jwt_token_gen.py . I tried without an audience and with the service name as an audience and each test provided the same error message. I inspected each JWT in jwt.io to ensure that each JWT claim was how I expected.

Overall, I suspect the google.api.Service spec has a different behavior for expected audiences than the OpenAPI spec (which doesn't required audience). Adding audience to the config resolved the issue and allowed me to hit the API with service-account JWT authentication enabled. Willing to create a PR to incorporate audiences: DEFAULT_HOSTNAME if approved 👍

Metadata

Metadata

Assignees

Labels

api: authIssues related to the Google Authentication APIsamplesIssues that are directly related to samples.type: processA process-related concern. May include testing, release, or the like.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions