标准终结点V2与Auth0安全性
标准终结点V2与Auth0安全性
提问于 2017-08-27 08:24:55
我尝试使用、google端点、v2和Python,在标准应用程序引擎中使用Auth0,但是如果我遵循文档,那么所有公共的端点都是开放的。我已经证明了使用下一个选项,并得到了下一个结果:
1 a备选方案
在我的端点类中:
@endpoints.api(name='ganadero', version='v1',api_key_required=True,
audiences={'auth0_jwk': ['ganadero-api.endpoints.XXXX.appspot.com','https://YYYYY.es','https://ZZZZZ.eu.auth0.com/api/v2/']},
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')}) class GanaderoAPI(remote.Service):我用下一个命令编译:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints.XXXX.appspot.com我的ganaderoV1openapi.json是下一个:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
},
"security": [
{
"api_key": [],
"auth0_jwk": []
}
],
"x-security": [
{
"auth0_jwk": {
"audiences": [
"ganadero-api.endpoints.XXXXX.appspot.com",
"https://YYYYY.es",
"https://ZZZZZ.eu.auth0.com/api/v2/"
]
}
}
]
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions": {
"api_key": {
"in": "query",
"name": "key",
"type": "apiKey"
},
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}接下来,我使用下一个命令:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:c1195c3a-9a3f-4c0d-86fa-21f40a8a647e to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:c1195c3a-9a3f-4c0d-86fa-21f40a8a647e
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r2 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r2
Service Configuration [2017-08-27r2] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707接下来,我使用:
gcloud app deploy -v endpoint现在,我的端点正在部署。但问题是,我一直在URL中使用API键。在文档中说,我可以在标题中使用“x key”,但不能使用函数。另外,我必须在标题(下一种形式)中使用access_token of Auth0:
承载eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFqbEdNVVEzTkRCR09FUkJPRGxCUTBSR1JUZzJPVUl4UkRjeU0wRXpRVFUwTUVReVEwRkVSQSJ9.eyJpc3MiOiJodHRwczovL3NlcmVuby5ldS5hdXRoMC5jb20vIiwic3ViIjoiWDdDR1dPbkpSczg4ZFdRbjV0eUZtdjVodk5BQ1d6TTNAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZ2FuYWRlcm8uZXMiLCJleHAiOjE1MDM4MzMzMjIsImlhdCI6MTUwMzc0NjkyMiwic2NvcGUiOiIifQ.k0rnc58YfLfAxjQJ7T22jViVAL0-CPqAmOTYSVKUtzDGTvmhrMqLXYYQb35nEsr3uGDfnkUL4O1g3pQkamdKIzz1gstcl_NaizchwtUfl0Wr60_MAP4PH1yyqb5aH7Jn6gBvJPb-aFDCulkHhCq9OjWg9-qLgyO4hd1_F-U4Jq3SMSDrCVyrsZcjJiwhgUmAWmqIuy_fiKCS3CJHF_rnTL3ZIYxfvzPasVzLPPM93vD5mZR8sEhuN1l0AHGprcp4gf0nuLHcMK8ZbYXvcmJyelbIRkGkrLZJFZTUlWKh-4N3nKoZDUVR4JFwTlOXCR8coTTa7JctxZNU9_NqeIeRfg
但是,如果我将&key= AIzasd0Z4t-8GasfardfXDqrcKIki6CIog放在URL中,则没有必要。如果只在标头中添加授权标记,或添加x-API键“API-KEY”或添加两个选项,则下一个错误总是出现:
*
401方法不允许没有确定身份的来电者。请使用API密钥或其他形式的API使用者身份来调用此API。
*
只执行下一种形式的功能:
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904&key= AIzaSyD0Z4t-V8as345bzLz2XDqrcKIki6CIog
2备选方案:
在我的端点类中:
@endpoints.api(name='ganadero', version='v1',
audiences={'auth0_jwk': ['ganadero-api.endpoints.XXXX.appspot.com','https://YYYYY.es','https://ZZZZZ.eu.auth0.com/api/v2/']},
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')})
class GanaderoAPI(remote.Service):我用下一个命令编译:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints. XXXX.appspot.com我的gaanderov1openapi.json是下一个:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
},
"security": [
{
"auth0_jwk": []
}
],
"x-security": [
{
"auth0_jwk": {
"audiences": [
"https://YYYYY.es",
"https://ZZZZZ.eu.auth0.com/api/v2/"
]
}
}
]
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions":
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}接下来,我使用下一个命令:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:b669eef3-97a3-430a-aacc-4a721ebc0db2 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:b669eef3-97a3-430a-aacc-4a721ebc0db2
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'put' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/animales': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/compraVenta': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/compraventa': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/documentos': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/explotacion': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/usuario': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/ususarios': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r1 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r1
Service Configuration [2017-08-27r1] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707接下来,我使用:
gcloud app deploy -v endpoint现在,我的端点正在为每个人部署和开放。你可以免费访问它们。他们里面没有保安。
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904
3备选方案:
在我的端点类中:
@endpoints.api(name='ganadero', version='v1',
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')})
class GanaderoAPI(remote.Service):我用下一个命令编译:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints. XXXX.appspot.com我的openapi.json是下一个:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
}
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions": {
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}接下来,我使用下一个命令:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:66091d01-910d-485d-af58-1a68a2dd2321 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:66091d01-910d-485d-af58-1a68a2dd2321
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'put' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/animales': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/compraVenta': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/compraventa': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/documentos': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/explotacion': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/usuario': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/ususarios': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r3 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r3
Service Configuration [2017-08-27r3] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707接下来,我使用:
gcloud app deploy -v endpoint现在,我的端点正在为每个人部署和开放。你可以免费访问它们。他们里面没有保安。
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904
回答 1
Stack Overflow用户
发布于 2017-08-28 21:55:19
指定受众和发行者控制框架将认为有效的授权类型。然而,它本身并不要求存在有效的授权。
端点框架文档有三个步骤用于Auth0;第三个步骤是在每个要执行身份验证的方法中检查endpoints.get_current_user()的结果。
这并不完全是理想的,但现在的情况就是这样。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/45903035
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号