【发布时间】:2021-10-28 16:36:44
【问题描述】:
我正在尝试使用 gcp Api 网关保护多个云运行服务,该网关集成了 firebase jwt auth。我一开始尝试使用以下架构只保护一个 API,一切都很好:
# openapi2-run.yaml
swagger: '2.0'
info:
title: memsy-gateway
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
consumes:
- application/json
produces:
- application/json
x-google-backend:
address: https://mnemonic-api-staging-ue.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'https://securetoken.google.com/the-journey-method'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com'
x-google-audiences: 'the-journey-method, https://mnemonic-api-staging-ue.a.run.app'
paths:
/mnemonic-api:
post:
security:
- jwt_auth: []
summary: Mnemonic API
operationId: mnemonics
parameters:
- in: body
name: input
description: string to process
schema:
$ref: '#/definitions/InputString'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors
responses:
'200':
description: Success
definitions:
InputString:
type: object
properties:
input:
type: string
title:
type: string
required:
- input
- title
然后我尝试使用以下架构保护两个服务,但现在在配置中的路径上出现 404 错误。我也可以通过他们的云运行 url 访问后端而无需任何 jwt 令牌,所以我想知道我的配置有什么问题?
# openapi2-run.yaml
swagger: '2.0'
info:
title: memsy-gateway
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
consumes:
- application/json
produces:
- application/json
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'https://securetoken.google.com/the-journey-method'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com'
x-google-audiences: 'the-journey-method, https://mnemonic-api-staging-ue.a.run.app, https://backend-dql-flask-uc.a.run.app'
paths:
/mnemonic-api:
post:
security:
- jwt_auth: []
summary: Mnemonic API
operationId: mnemonics
x-google-backend:
address: https://mnemonic-api-staging-ue.a.run.app
parameters:
- in: body
name: input
description: string to process
schema:
$ref: '#/definitions/InputString'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors
responses:
'200':
description: Success
/dql/deleteFolder:
post:
security:
- jwt_auth: []
summary: Dql
operationId: deleteFolder
x-google-backend:
address: https://backend-dql-flask-uc.a.run.app
parameters:
- in: body
name: input
description: user and id strings
schema:
$ref: '#/definitions/Dql'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors-dql
responses:
'200':
description: Success
definitions:
InputString:
type: object
properties:
input:
type: string
title:
type: string
required:
- input
- title
Dql:
type: object
properties:
user:
type: string
id:
type: string
required:
- user
- id
【问题讨论】:
-
如果您有条目,您能否查看 Cloud Run 上的日志是什么?此外,您能否分享每个定义的预期目标端点?
-
日志中没有任何内容。就端点而言,它们只是网关 url 末尾的路径,对吗?例如:my-gateway.ue.gateway.dev/mnemonic-api 和 my-gateway.ue.gateway.dev/dql/deleteFolder。
-
您在 API 网关上请求的 URL 是什么?
-
我想了解 'my-gateway.ue.gateway.dev/mnemonic-api' 和 'my-gateway.ue.gateway.dev/dql/deleteFolder' 是否是您的确切网址端点或者您出于隐私考虑已经编辑了项目的具体细节?您需要使用类似于“my-gateway-XXXXXXXX.ue.gateway.dev”的项目特定网址,
-
是的,为了隐私起见,只是把它们删掉了,在实践中使用了正确的。
标签: google-cloud-platform firebase-authentication aws-api-gateway google-cloud-run api-gateway