0

Need to authenticate the GCP Gateway API with Oauth When testing with Postman sending the get request to the API returning the response that JWT is in wrong format. "Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections"

But same thing when tried with the url like - https://firebase.googleapis.com/v1beta1/availableProjects, its seems to be working

Below is the config file for the GCP Gateway -

# openapi2-functions.yaml
swagger: '2.0'
info:
  title: my-api3
  description: Sample API on API Gateway with a Google Cloud Functions backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    get:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: #Function url here
      security:
      - google_id_token: []
      responses:
        '200':
          description: A successful response
          schema:
            type: string
securityDefinitions:
  # This section configures authentication with an Oauth
  google_id_token:
      authorizationUrl: ""
      flow: "implicit"
      type: "oauth2"
      x-google-issuer: "https://accounts.google.com"
      x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
      # Optional. Replace YOUR-CLIENT-ID with your client ID
      x-google-audiences: #client-id

Scopes used - https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/cloudfunctions Cloud function has been made public as well as IAM authenticated and tested in both the scenario but the result seems to be same.

Currently the Oauth ID is in test mode and not published.

For resolving looked for the relevant stackoverflow article - Authenticating with Google access token on GCP API Gateway, there its seems to be mentioned that we can fetch an identity token but not sure what the identity token is there.

My confusion here is that why GCP Gateway does not authenticates and authorizes the request whereas for the call happening to firebase url, https://firebase.googleapis.com/v1beta1/availableProjects seems to be getting authenticated and its sending back the response.

In case if this architecture not seems to be fit, what is the alternate secure architecture that we can try to overcome this problem, currently this architecture is making call to API Gateway which in return making call to Cloud function.

Alternatively shall I go for the signin of google account or service account and then get the id token for the oauth access and make the Gateway API call or any other option? In case of alternate architecture what could be the process flow and services involved.

Christian Baumann
  • 3,188
  • 3
  • 20
  • 37
Ankur Pawar
  • 1
  • 2
  • Are you sure that is not a Cloud Functions issue instead of an API Gateway authentication issue? – guillaume blaquiere Dec 29 '22 at 09:43
  • 1
    Yes, because when i changed the authentication mechanism in gateway and applied the API Key based authentication in place of Oauth Authentication it worked for both public and IAM restricted function. – Ankur Pawar Dec 29 '22 at 16:23

0 Answers0