2

Our API gateway exposes a URL endpoint to load images etc. from a Cloud Run backend service. This URL endpoint is used by a user interface secured by Google's Identity Aware Proxy (IAP). Therefore, all requests to the URL endpoint come from already logged in Google Users.

What security (securityDefinitions) configuration do I have to define for this in the OpenAPI configuration of the API gateway? If I understand correctly, this is the configuration described here.

I tried the following configuration:

swagger: '2.0'
info:
  title: xyz-api
  description: XYZ Service
  version: 1.0.0
  
schemes:
  - https

x-google-backend:
  address: https://CLOUD_RUN
  jwt_audience: https://CLOUD_RUN

security: 
  - google_id_token: []

paths:
  /info:
    get:
      summary: Service informations
      description: Returns informations about this service 
      operationId: getInfoFromService
      produces:
        - application/json
      responses:
        '200':
          description: Info as JSON
        '400':
          description: Invalid status value

securityDefinitions:
  google_id_token:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"

The API Gateway response with:

{
  "message": "Jwt is missing",
  "code": 401
}

Update

A few more details about the setup:

The UI and API gateway are behind the same Load Balancer with the same domain. The IAP (Identity-Aware Proxy) is enabled for the UI backend. For the API gateway, we used the above configuration without the IAP.

To use the UI, users must log in with their Google User account. The user group is authorized in the IAP as "IAP-secured Web App User".

The UI now tries to load images via https://xyz.app/api/image123456/. This fails.

Since the user login via the IAP was successful for the domain https://xyz.app/, we would expect it to work for the API gateway as well.

Update 2:

As a test, I have activated the IAP for the API gateway. The IAP returns http 403 error. According to the load balancer logfile these are generated by the "backend" (response_sent_by_backend). This probably means the API gateway.

From my point of view this brings us back to the initial question: What do I have to configure in the OpenAPI configuration of the API gateway to make the access work? In this case via IAP: LB -> IAP -> API GW -> Cloud Run.

Ben
  • 290
  • 2
  • 17
  • How do you perform your API Gateway request? do you have a code sample that generate that request? – guillaume blaquiere Aug 24 '22 at 18:12
  • The request is executed by the user who is currently logged into the browser (UI). Do you want to see this request? – Ben Aug 24 '22 at 19:27
  • Are you sure that you provide the JWT? Did you try with a simple curl? – guillaume blaquiere Aug 24 '22 at 19:37
  • I do not add a JWT manually. Since the UI and the API gateway are addressed by the Load Balancer via the same domain, I would have expected that this login is already done. For example via the stored cookie. I have added more details to the question. – Ben Aug 25 '22 at 10:20
  • There is nothing magic! If you don't set the JWT, or configure your UI framework to add it, it won't be added by itself! – guillaume blaquiere Aug 25 '22 at 11:43
  • A cookie with the name 'GCP_IAAP_AUTH_TOKEN_123' and the JWT token as value is transferred with the image request. Isn't that exactly what is needed? – Ben Aug 25 '22 at 15:31
  • @guillaumeblaquiere: If I try a direct access with curl and a JWT token as follows: curl -vH "Authovrization: Bearer $(gcloud auth print-identity-token)" https://xyz.app/api/ I get the same response (401: jwt is missing). – Ben Aug 26 '22 at 17:30
  • This [documentation](https://cloud.google.com/endpoints/docs/openapi/troubleshoot-jwt) says: This may happen when deploying ESPv2 in Cloud Run, the flag `--allow-unauthenticated` is not used in gcloud run deploy command. If the flag is not used, the JWT token is intercepted and verified by Cloud Run access control IAM server and not by ESPv2. IAM may use a different issuer than ESPv2. – Roopa M Sep 02 '22 at 08:04
  • And You were trying to get the TOKEN with [`gcloud auth print-identity-token`](https://cloud.google.com/sdk/gcloud/reference/auth/print-identity-token) This command prints an identity token for the specified account. So, this should be a valid JWT but something is wrong. You are encouraged to get the JWT and [decode](https://jwt.io/) it and check if the data are correct. – Roopa M Sep 02 '22 at 08:08
  • Edit your post and show the client HTTP request. Include relevant HTTP headers and the response. Without that, we can only guess what the client is sending. – John Hanley Apr 04 '23 at 20:59

0 Answers0