0

I've developed some google flex endpoints. They work locally but when I deploy the app (gcloud app deploy) I get a http status 403 forbidden. I'm using ajax to call the endpoint like this:

var echoEndpoint = function() {
  $.ajax(userBaseUrl+'/echo', {
    headers: {'Authorization': 'Bearer ' + userIdToken},
    type: 'GET',
    data: "key=my special key"
  })
}

I'm protecting the endpoint with an apikey and passing the userIdToken in the header. The above code produces the 403 forbidden. But if I remove the header it works. albeit no user token. Here is the code that will NOT produce the 403

  var echoEndpoint = function() {
  $.ajax(userBaseUrl+'/echo', {
    type: 'GET',
    data: "key=my special key"
  })
}

here is my paths section of my openapi.yaml .....

     paths:
      "/echo":
        get:
          description: "Echo a test message."
          operationId: "echo"
          produces:
          - "application/json"
          responses:
            200:
              description: "Echo"
              schema:
                $ref: "#/definitions/echoMessage"
          x-security:
          - firebase:
              audiences:
              - "my project-id"
....
definitions:
  echoMessage:
    properties:
      message:
        type: "string"

Do I need to specify in my openapi.yaml that I'm sending a header in the request? If so how and where? I tried to put it in the definitions section but that yields a INVALID_ARGUMENT error when trying to deploy.

Mike Margetts
  • 1
  • 1

1 Answers1

0

Did you define "firebase" in "securityDefinitions" as shown in this example (https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/appengine/flexible/endpoints/openapi.yaml#L108"?

Limin
  • 46
  • 2