使用默认GAE服务帐户对端点(Std env)进行身份验证表示“401方法不允许未建立身份的呼叫者”

问题描述 投票:0回答:1

我正在尝试使用两种身份验证方法在AppEngine Standard环境服务中创建Google Cloud Endpoints:apiKey和默认GAE服务帐户。

  • apiKey身份验证是指外部系统能够查询API
  • 默认GAE身份验证适用于同一AppEngine应用程序(XXXX)中的其他服务(以前称为“模块”)以连接到端点(例如service1-dot-XXXX.appspot.com,以便在api-dot中向端点发出请求 - XXXX.appspot.com)

api Key身份验证工作正常,但“qazxsw poi”身份验证提供:

service_to_service_gae

我用以下内容装饰端点:

401 Method does not allow callers without established identity. Please use an API key or other form of API consumer identity to call this API.

并使用基于@endpoints.api( name='widgets', version='v1', base_path='/api/', api_key_required=True, allowed_client_ids=['[email protected]']) class WidgetsApi(remote.Service): ... 的代码调用API

sample client from github

我忘记了端点装饰器或任何其他配置中的某些内容吗?或者端点装饰器只接受一种身份验证方法?我想在同一个GAE标准实例中从服务到服务进行调用是直截了当的。 SERVICE_ACCOUNT_EMAIL = '[email protected]' def generate_jwt(): """Generates a signed JSON Web Token using the Google App Engine default service account.""" now = int(time.time()) header_json = json.dumps({ "typ": "JWT", "alg": "RS256"}) payload_json = json.dumps({ "iat": now, # expires after one hour. "exp": now + 3600, # iss is the service account email. "iss": SERVICE_ACCOUNT_EMAIL, "sub": SERVICE_ACCOUNT_EMAIL, "email": SERVICE_ACCOUNT_EMAIL, "aud": 'https://api-dot-XXXX.appspot.com', }) header_and_payload = '{}.{}'.format( base64.urlsafe_b64encode(header_json), base64.urlsafe_b64encode(payload_json)) (key_name, signature) = app_identity.sign_blob(header_and_payload) signed_jwt = '{}.{}'.format( header_and_payload, base64.urlsafe_b64encode(signature)) return signed_jwt def make_request(signed_jwt): """Makes a request to the auth info endpoint for Google JWTs.""" headers = {'Authorization': 'Bearer {}'.format(signed_jwt)} conn = httplib.HTTPSConnection('api-dot-XXXX.appspot.com') url = '/api/widgets/v1/list' conn.request("POST", url, urllib.urlencode({'search': ''}), headers) res = conn.getresponse() conn.close() return res.read() 有点令人困惑(至少对我而言),例如sample client发出请求('/ auth / info / googlejwt')来获取jwt令牌,但是什么时候调用实际端点?

提前谢谢,新年快乐!

python google-app-engine google-cloud-endpoints
1个回答
1
投票

make_request为true时,除了任何JWT之外,您还必须在请求中提供API密钥。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.