0

I have a JWT token that i want to validate with the open yaml security definition for a google endpoint. But it is checking only token from same issuer and audience.I dont see this checking anything else.So anyone with same issuer and audience is allowed to call the endpoint.I want to restrict it for my tenant may be with the client id/secret as it will be unique.I tried with the details mentioned in https://auth0.com/docs/integrations/google-cloud-endpoints .When tried with password or application,it still allows user with same issuer and audience although the scopes are different.I want to restrict for my tenant.How can i do that?

     security:
        - auth0_jwt:
            - openid
            - profile
            - email
securityDefinitions:
  auth0_jwt:
    tokenUrl: https://domain_name/oauth/token
    flow: application
    type: oauth2
    x-google-issuer: https://domain_name/
    x-google-jwkuri: https://jwks_uri
    x-google-audiences: https://audience_name/
    scopes:
       openid: test
       profile: test
       email: test

In above code,security is written inside the path .Same as mentioned in the above link. Also i have a question regarding the claims.How do i validate claims in a token for google endpoint using the opena api yaml ?

user
  • 173
  • 2
  • 15
  • Please if the below answer was helpful consider upvoting it, if it answered your question you may mark it as an accepted answer. If both, please do both :) Thanks! – sllopis Sep 09 '20 at 06:26

1 Answers1

1

Cloud Endpoint performs only authentication and not authorization. To achieve authorization checks, you have to implement the process in your API. In my company, we usually use Firestore to store and retrieve the link between the user email and their profiles (authorization).

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thanks for your reply .But when we say authentication, how will the flow with 'application' type work? Its not working in my case.Any user with same audience and issuer is allowed.My basic use case is allowing only my tenant.How can i achieve that ? – user Sep 07 '20 at 03:14
  • Yes, only the validity of the token is checked (JWT signature against the OIDC public key); this means: "Ok, the OIDC has correctly identified the user, the token is correctly signed with the private key, it's a valid user, go ahead". Not the content (audience, scope,...) which are part of the authorization. – guillaume blaquiere Sep 07 '20 at 08:23