CODEWITHSUNDEEP
firebasequarkusgoogle-cloud-runsmallryegoogle-api-gateway
mdconsulting
mdconsulting

Reputation: 3

How to retrieve (Firebase) JWT key for quarkus native app deployed on Google Cloud Run behind Google API Gateway

I have a quarkus native app deployed on Google Cloud Run. It uses JWT authentication through Firebase which seems to be correctly configured, because everything runs fine. However, since I added the Google API Gateway in between, things seem to have gone wrong: I always get a 401 as response.

Also, when I make requests directly through my front-end, I get a 405 error for "OPTIONS", which also needs to be addressed. The current requests are sent through Postman with a valid Bearer JWT

The API gateway config was done following this article from the google docs. I can see my requests in the gateway logs and they are also forwarded to my quarkus Cloud Run service. There, I can see from the logs the following:

DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08019: AuthContextInfo is: JWTAuthContextInfo{publicVerificationKey=null, secretVerificationKey=null, privateDecryptionKey=null, secretDecryptionKey=null, issuedBy='https://securetoken.google.com/<MyCorrectProjectId>', expGracePeriodSecs=0, maxTimeToLiveSecs=null, tokenAge=null, publicKeyLocation='https://www.googleapis.com/service_accounts/v1/jwk/[email protected]', publicKeyContent='null', decryptionKeyLocation='null', decryptionKeyContent='null', jwksRefreshInterval=60, tokenHeader='Authorization', tokenCookie='null', alwaysCheckAuthorization=false, tokenKeyId='null', tokenDecryptionKeyId='null', tokenSchemes=[Bearer], requireNamedPrincipal=true, defaultSubClaim='null', subPath='null', defaultGroupsClaim='null', groupsPath='null', signatureAlgorithm=RS256, keyEncryptionAlgorithm=[RSA_OAEP, RSA_OAEP_256], keyFormat=ANY, keyProvider=DEFAULT, keyCacheSize=100, keyCacheTimeToLive=10, expectedAudience=null, groupsSeparator=' ', relaxVerificationKeyValidation=true, verifyCertificateThumbprint=false, tlsCertificatePath=null, tlsTrustAll=false, tlsTrustedHosts=null, httpProxyHost=null, httpProxyPort=80}

DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08043: Trying to create a key DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08043: Trying to create a key from the HTTPS JWK(S)
DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08026: Trying to create a key from the JWK(S)
DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08021: JWK with a matching 'kid' is not available, refreshing HTTPS JWK Set
DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08024: Trying to create a key from the HTTPS JWK Set after the refresh
DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08026: Trying to create a key from the JWK(S)
DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-0) SRJWT08005: Verification key is unresolvable
DEBUG [io.qua.sma.jwt.run.aut.MpJwtValidator] (vert.x-eventloop-thread-0) Authentication failed: io.smallrye.jwt.auth.principal.ParseException: SRJWT07000: Failed to verify a token
...
Caused by: org.jose4j.lang.UnresolvableKeyException: SRJWT07005: Failed to load a key from https://www.googleapis.com/service_accounts/v1/jwk/[email protected] property while resolving

Nevertheless, I am pretty sure that this address (https://www.googleapis.com/service_accounts/v1/jwk/[email protected]) is correct (well it works without the API Gateway), I am more worried about the property suffix. For sake of completeness, I add some information from my quarkus application.properties:

mp.jwt.verify.issuer=https://securetoken.google.com/<MyCorrectProjectId>
quarkus.ssl.native=true
mp.jwt.verify.publickey.location=https://www.googleapis.com/service_accounts/v1/jwk/[email protected]
mp.jwt.verify.publickey.algorithm=rs256
quarkus.smallrye-jwt.enabled=true
mp.jwt.verify.audience=<MyCorrectProjectId>

Anyone experienced this issue so far? Many thanks in advance and at your disposal for further information.

Upvotes: 0

Views: 138

Answers (0)

Related Questions