Reputation: 460
GCP API Gateway JWT always returning 403
I'm using gcp api gateway for JWT authentication. after generating a token from my auth service and then putting it in postman I always receive this response no matter what I put in the 'aud' part of the token:
Here is my open api file:
# openapi2-run.yaml
swagger: '2.0'
info:
title: my-gateway-id
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
produces:
- application/json
x-google-backend:
address: https://my-cloud-run.a.run.app
jwt_audience: https://my-cloud-run.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: '[email protected]'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]'
paths:
/:
post:
security:
- jwt_auth: []
summary: GraphQL endpoint
operationId: gql
responses:
'200':
description: A successful response
schema:
type: object
I've looked over and over the docs and can't see what's going on? thanks in advance.
Upvotes: 3
Views: 2765
Answers (1)
Reputation: 4126
You get 403 because the aud on the JWT token you've generated is not found on securityDefinitions of your API config.
To allow additional client IDs to access the backend service, you can specify the allowed client IDs in the
x-google-audiencesfield by using comma-separated values. API Gateway then accepts the JWTs with any of the specified client IDs in the aud claim.
Go here and paste your token to see your JWT "aud" claim. If you generated the ID token using gcloud auth, the aud will most likely be a Client ID like 1234567890.apps.googleusercontent.com. But if you generated the token using your own service, then it would depend on what you've specified as a target audience.
To solve the problem, add x-google-audiences field on the securityDefinitions section and the value should match with your JWT "aud" claim.
Assuming that the aud on your JWT token is a Cloud Run service endpoint, then your API config should look like this. Feel free to check the documentation as additional reference:
x-google-backend:
address: https://my-cloud-run.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: '[email protected]'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]'
x-google-audiences: 'https://my-cloud-run.a.run.app'
If you have multiple audiences, then it should be a single string separated by a comma. Spaces aren't allowed between the audiences.
Upvotes: 5
Related Questions
- GCP API Gateway: Cannot use path params
- GCP API Gateway with an API Key fails with 403 error stating ... .cloud.goog is not enabled for the project
- GCP API gateway returning 403 saying managed service "is not enabled for the project"
- GCP API Gateway is confused about JWT by adding an external load-balancer in front
- JWT token changes when passing through the GCP API gateway
- Invalid JWT while using GOOGLE_APPLICATION_CREDENTIALS
- GCP Endpoint "Try this API" authorization URL
- How To Pass a Self Signed JWT through Swagger Cloud Endpoints
- Google API -> Unable to obtain access token from JWT
- Google API OAuth2.0 JWT returns 400 - Bad Request