I have Cloud Gateway API that connect to Cloud Function.
It worked great with an API key that I generated, but then when I restricted the key to enable access for my specific domain only - example.com, I started to get CORS errors on the client. ( it did worked without domain restriction)
So I enabled CORS in the config file in the Console, the file had no errors, but I still get a CORS error when accessing the API URL from my domain with the key:
https://project-xxxx.uc.gateway.dev/search?key=AIxxxxxxxxx
Config :
swagger: "2.0"
info:
title: projectapi
description: "data api"
version: "1.0.0"
schemes:
- "https"
host: "project-xxxxxxxx.apigateway.xxxxx-xxxxx.cloud.goog"
x-google-endpoints:
- name: "project-xxxxxxxx.apigateway.xxxxx-xxxxx.cloud.goog"
allowCors: True
paths:
"/search":
get:
description: "data"
operationId: "project"
x-google-backend:
address: https://us-central1-projectName.cloudfunctions.net/search
security:
- api_key: [key]
responses:
200:
description: "Success."
schema:
type: string
400:
description: "Invalid"
securityDefinitions:
api_key:
type: "apiKey"
name: "key"
in: "query"
My Cloud Function do allow CORS, and works great if called directly with the link here in the address key.
Why this config wont allow cors for the Gateway ?
Solved !
You must enable the key not only for your domain name, but also for your specific API name from the list, go to APIs & Services => Credentials => API keys => your key => API restrictions => choose your API name from the list !
This allow access to a Function from a specific domain - without using a Balancer.
I am trying to set up a GraqphQL Server, on Cloud Functions, and I want to set up an API Gateway to handle authentication with auth0 and jwt....
I have it working from the tutorial, the problem is it always requires a JWT token, where as I want some GraphQL queries to be available publicly, and if the user signs in they get more access...
From my understanding the way you do this is by using two authentications in the security settings, where one is the JWT and one is empty, however the API Gateway seems to always want the JWT token... Here is my open API spec, maybe someone has an idea?
swagger: '2.0'
info:
title: <redacted>-graphql-api
description: Basic GraphQL Open APISchema
version: 1.0.0
schemes:
- https
produces:
- application/json
securityDefinitions:
auth0_jwk:
authorizationUrl: "<redacted>"
flow: "implicit"
type: "oauth2"
# Replace YOUR-ACCOUNT-NAME with your Auth0 account name.
x-google-issuer: "<redacted>"
x-google-jwks_uri: "<redacted>"
# Optional. Replace YOUR-CLIENT-ID with your client ID
x-google-audiences: "<redacted>"
paths:
/:
post:
summary: GraphQL endpoint
operationId: gql
x-google-backend:
address: <redacted> # App URL/endpoint
responses:
'200':
description: A successful response
schema:
type: object
security:
- {}
- auth0_jwk: []
get:
summary: GraphQL Playground
operationId: playground
x-google-backend:
address: <redacted> # App URL/endpoint
responses:
'200':
description: A successful response
schema:
type: string
I'm using gcp api gateway for JWT authentication. after generating a token from my auth service and then putting it in postman I always receive this response no matter what I put in the 'aud' part of the token:
Here is my open api file:
# openapi2-run.yaml
swagger: '2.0'
info:
title: my-gateway-id
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
produces:
- application/json
x-google-backend:
address: https://my-cloud-run.a.run.app
jwt_audience: https://my-cloud-run.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'id-admin#my-project.iam.gserviceaccount.com'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/id-admin#my-project.iam.gserviceaccount.com'
paths:
/:
post:
security:
- jwt_auth: []
summary: GraphQL endpoint
operationId: gql
responses:
'200':
description: A successful response
schema:
type: object
I've looked over and over the docs and can't see what's going on? thanks in advance.
You get 403 because the aud on the JWT token you've generated is not found on securityDefinitions of your API config.
To allow additional client IDs to access the backend service, you can specify the allowed client IDs in the x-google-audiences field by using comma-separated values. API Gateway then accepts the JWTs with any of the specified client IDs in the aud claim.
Go here and paste your token to see your JWT "aud" claim. If you generated the ID token using gcloud auth, the aud will most likely be a Client ID like 1234567890.apps.googleusercontent.com. But if you generated the token using your own service, then it would depend on what you've specified as a target audience.
To solve the problem, add x-google-audiences field on the securityDefinitions section and the value should match with your JWT "aud" claim.
Assuming that the aud on your JWT token is a Cloud Run service endpoint, then your API config should look like this. Feel free to check the documentation as additional reference:
x-google-backend:
address: https://my-cloud-run.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'id-admin#my-project.iam.gserviceaccount.com'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/id-admin#my-project.iam.gserviceaccount.com'
x-google-audiences: 'https://my-cloud-run.a.run.app'
If you have multiple audiences, then it should be a single string separated by a comma. Spaces aren't allowed between the audiences.
Im trying to parse the event log with convertfrom-string but unable to get the result. the event and code is below.
$string=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: SQLSVC Supplied Realm Name: PAD User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$temp=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: SQLSVC} Supplied Realm Name: {Domain:PAD} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$string |ConvertFrom-String -TemplateContent $temp
expected output is :
Eventid Type ServerName ..etc
4768 Audit Success PAD.Local
You can give multiple example to your patern for a better analyse :
$string=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: SQLSVC Supplied Realm Name: PAD User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$temp=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: SQLSVC} Supplied Realm Name: {Domain:PAD} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:1},Microsoft-Windows-Security-Auditing,,{Type:Audit Success 2},{ServerName:XXXXX},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: dddddd} Supplied Realm Name: {Domain:XXXXXX} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$string |ConvertFrom-String -TemplateContent $temp
I am using Google ESP and on an endpoint I have authorisation with Auth0 like so:
securityDefinitions:
auth0_jwk:
authorizationUrl: "AUTH_URL"
flow: "implicit"
type: "oauth2"
x-google-issuer: "AUTHO_URL"
x-google-jwks_uri: "AUTH0_JWKS_URL"
x-google-audiences: "AUTH0_AUDIENCE"
paths:
/pluginviewservice/v1:
post:
summary: Submits a page to be analysed with auth.
operationId: pluginviewservicev1
x-google-backend:
address: APP_ENGINE_URL
path_translation: CONSTANT_ADDRESS
responses:
'200':
description: A successful response
schema:
type: string
x-security:
- {}
- auth0_jwk:
audiences:
- "AUTH0_AUDIENCE"
However what I want is, when the auth0 access token is available it populates "X-Endpoint-API-UserInfo", and when it isn't it lets it through anyway. The endpoint is designed to be accessible both to authorised and unauthorised users. I have tried adding a blank "x-security" as seen above, but that does not seem to work.