Google API Gateway:未转发授权标头
我部署了一个 Google Cloud API 网关,用于将请求发送到云运行服务。
云运行服务托管一个 laravel docker 容器映像,并通过我的经过身份验证的页面进行身份验证,我需要发送一个授权标头(Authorization: Bearer my-user-token-here)。
当我直接将请求发送到云运行服务时,我能够通过授权标头集获得所需的响应。但是,当我通过 api 网关发送请求时,我总是收到一条未经身份验证的消息,显示对云运行的 api 请求中缺少标头。但我不确定这一点。
我在 google cloud api gateway 上找不到任何有用的文档来建议 cloud run 是否删除标头。
我也不确定错误是否来自 openapi.yaml。到目前为止,我意识到我不能使用 openapi 文档的 v3,而是使用 v2,因为 api 网关不支持 v2。在 openapi 文档的 v2 中,securityDefinitions 不支持 Authorization header Bearer token,而是支持 Authorization header basic。
我的 Openapi yaml
# openapi2-run.yaml
swagger: "2.0"
info:
title: my-api
description: my custom api
version: 1.0.0
schemes:
- https
produces:
- application/json
consumes:
- application/json
x-google-backend:
address: https://some-cloud-run-url
basePath: /api
host: my-api.nw.gateway.dev
x-google-endpoints:
- name: "my-api.nw.gateway.dev"
allowCors: True
paths:
/user:
get:
summary: Requested user details.
operationId: UserDetails
responses:
"200":
description: Return Requested User Details.
schema:
type: string
"default":
description: Unexpected error
令人惊讶的事实是,如果我在本地或直接将请求发送到云运行,它会起作用并且不会出现身份验证错误,但是当我使用 api-gateway 时,我会收到错误。所以我猜测这与请求到达云运行时标头丢失有关,可能是因为我这里的 yaml 定义没有授权标头。
I have a Google Cloud API gateway deployed to send requests to a cloud run service.
The cloud run service hosts a laravel docker container image and to authenticate with my authenticated pages, I need to send an Authorization header (Authorization: Bearer my-user-token-here).
When I send the request directly to the cloud run service, I am able to get the response I need with the Authorization header set. But, when I send the request through the api gateway, I always get an unauthenticated message showing the header is missing in the api request to the cloud run. I am not sure of this though.
I can't find any useful documentation on google cloud api gateway to suggest whether cloud run drops the header.
I am also not sure whether the error is from the openapi.yaml. So far I realized I cannot use the v3 of the openapi documentation but rather v2 as api gateway does not support v2. In the v2 of the openapi docs, the securityDefinitions don't support Authorization header Bearer token but instead supports Authorization header basic.
My Openapi yaml
# openapi2-run.yaml
swagger: "2.0"
info:
title: my-api
description: my custom api
version: 1.0.0
schemes:
- https
produces:
- application/json
consumes:
- application/json
x-google-backend:
address: https://some-cloud-run-url
basePath: /api
host: my-api.nw.gateway.dev
x-google-endpoints:
- name: "my-api.nw.gateway.dev"
allowCors: True
paths:
/user:
get:
summary: Requested user details.
operationId: UserDetails
responses:
"200":
description: Return Requested User Details.
schema:
type: string
"default":
description: Unexpected error
The surprising fact is that if I send the request either locally or directly to the cloud run, it works and I get no authentication error, but when I use the api-gateway, then I get the error. So I am guessing it has to do with the header going missing when the request reaches the cloud run, probably because the yaml definition I have here does not have an authorization header.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
实际上,您可以通过在
x-google-backend中设置disable_auth来忽略它。该文档不在谷歌网关中,而是在谷歌端点中,如下所示。
https://cloud.google.com/endpoints/docs/openapi/openapi-扩展
根据文档所述:
在配置目标后端时,如果满足以下任一条件,您可能不希望使用 IAP 或 IAM 来验证来自 ESPv2 的请求:
后端应允许未经身份验证的 请求调用。
后端需要来自 API 客户端的原始授权标头,并且不能使用 X-Forwarded-Authorization(在 jwt_audience 部分中描述)。
因此,在您的特定情况下,您只需要修改像这样的单个块:
它会像魅力一样发挥作用。
请注意,一旦您决定自己进行授权,您就无法在网关配置中设置
securityDefinitions。如果您这样做,gcp 网关将抛出 401。Actually you can ignore it by setting the
disable_authinx-google-backend.The document is not in google gateway, but in google endpoint as follow.
https://cloud.google.com/endpoints/docs/openapi/openapi-extensions
By the document it said:
When configuring your target backend, you may not want to use IAP or IAM to authenticate requests from ESPv2 if either of these conditions apply:
The backend should allow unauthenticated invocations.
The backend requires the original Authorization header from the API client and cannot use X-Forwarded-Authorization (described in the jwt_audience section).
So in your particular case, you just need to modify a single block like this:
And it will work like a charm.
Beware that once you decide to do the authorization yourself, you cannot set the
securityDefinitionsin the gateway config. The gcp gateway will throw 401 if you do this.我们有一个 API 网关实例,它将请求发送到云函数。
如果任何传入请求具有
Authorization标头,则网关会将标头详细信息映射到云功能请求中的X-Forwarded-Authorization标头。我认为对 Cloud Run 的请求也是如此。不过,我没有任何使用 Laravel 的经验,不知道它是否有查看转发标头的选项。
We have an API gateway instance which sends requests to cloud functions.
If any incoming requests have an
Authorizationheader, the gateway maps the header details into anX-Forwarded-Authorizationheader in the request to the cloud function.I assume it's the same for requests to Cloud Run. I don't have any experience with Laravel to know if it has options to look in the forwarded header, though.
能够使用 payon 提到的下面的代码片段来解决这个问题。
附上带有工作语法的屏幕截图。
able to solve it using below snippet as mentioned by payon.
Attaching screenshot with working syntax.