0

I have created a small nodejs express Application with two routes:

GET /mypublicurl

GET /myprivateurl

and it's running on GKE. I am triggering it via Cloud Endpoints. For authentication i'm using Auth0, also followed this Tutorial from Google. So my openapi.yaml looks like this:

...
paths:
  "/mypublicurl":
    get:
      description: "See Hello world"
      responses:
        200:
          description: "Hello World"
  "/myprivateurl":
    get:
      description: "See Hello world secure"
      responses:
        200:
          description: "Hello World"
        401:
          description: "No Auth"
      security:
        - auth0_jwt: []

securityDefinitions:
  auth0_jwt:
    authorizationUrl: ...
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: ...
    x-google-jwks_uri: ...
    x-google-audiences: ...

When i try both routes, i can hit both without Authorization Header.

Also when i put the Bearer Token as Auth Header, of course it still works. Do i have to make the validation of the JWT token in my backend myself for each route or can cloud endpoints do it and i'm just doing something wrong?

Jonas Laux
  • 449
  • 4
  • 19
  • How did you try your URL? With curl? With your browser? If so, did you try in private navigation mode? Or, did you test after a while after your Cloud Endpoint deployment? Sometime it takes up to 5 minutes to take into account the news configuration, especially the authorization/security parameters. – guillaume blaquiere Apr 10 '20 at 18:11
  • I mostly tried with Postman. And hours after i deployed this, it's still the same result – Jonas Laux Apr 10 '20 at 21:50
  • Ok, you didn't tell me where do you see this error. On which service? What stackdriver tell you? – guillaume blaquiere Apr 11 '20 at 11:29
  • I don't have any error. It's about, that every API call gets through. I'm caling my GKE Container through Cloud Endpoints (http://....cloud.goog/...) and it's always responding. My question is, do i have to check in the backend myself if the User is authenticated or does Endpoints do this for me, when i put the "security:" object into the path. – Jonas Laux Apr 11 '20 at 14:12
  • I recommend you to follow the [code samples](https://cloud.google.com/endpoints/docs/openapi/authenticating-users-auth0#samples) for the tutorial you are linking. Once it is working for you then adapt them for your Node.js application. – llompalles Apr 14 '20 at 14:52
  • No, i don't want to configurate it through an SDK. I want to configurate it through OpenAPI.yaml. And that's already working, i can hit the route. But the Authorization is not really working (the openapi tutorial with endpoints and auth0 is already linked in the post) – Jonas Laux Apr 15 '20 at 07:55
  • Quoting the tutorial `The Extensible Service Proxy (ESP) validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.` So I believe the problem is in your `openapi.yaml` file. Could you add a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)? – llompalles Apr 16 '20 at 09:23

0 Answers0