We are using Google AppEngine (Java) with Extensible Service Proxy (ESP) as our backend, and Auth0 as our authenticator.
We can successfully invoke Auth0 from our web app and authenticate using email/password, GoogleAccount and FaceBook and receive an id_token and an access_token. As expected when decoded via https://jwt.io/ we can see that the id_token contains contains (iss, sub, aud, iat, exp) as well as email address and other user info. access_token contains all the fields required by EndPoints (iss, sub, aud, iat, exp) but no email address.
When we invoke our AppEngine EndPoint providing the access_token as a bearer token, the endpoint gets invoked but the User is always null. There are no errors in the AppEngine logs.
We had expected that the ESP would validate the access_token and provide our AppEngine method with the validated User containing the credentials from Auth0.
Is our expectation incorrect, or have we misconfigured something?
What do we need to do to receive a User authorised by Auth0 in our AppEngine method?
@Api(
name = "ourInterface",
version = "v1",
namespace = @ApiNamespace(ownerDomain = "our-domain.com", ownerName = "Our Company"),
authenticators = {EspAuthenticator.class},
// Authenticate using Auth0
issuers = {
@ApiIssuer(
name = "auth0",
issuer = "https://our-domain.au.auth0.com/",
jwksUri = "https://our-domain.au.auth0.com/.well-known/jwks.json")
},
issuerAudiences = {
@ApiIssuerAudience(
name = "auth0",
audiences = "https://our-domain.appspot.com/ourInterface" // The interface specified in Applications\APIs in Auth0
)
}
)
public class OurInterface {
@ApiMethod(name = "postSomeStuff", path = "postSomeStuff", httpMethod =HttpMethod.POST)
public SomeResponse postSomeStuff(SomeRequest request, User user) {
If (user == null) {
throw new IllegalStatException(“Expected a User”);
}
// Take user and request params and confirm User has access to those resources
// Then do something useful
}
}
Update 1 If we add
authLevel = AuthLevel.REQUIRED,
to the Api annotation, then our method is not invoked and the ESP fails the request with
com.google.api.server.spi.SystemService invokeServiceMethod: exception occurred while calling backend method
com.google.api.server.spi.response.UnauthorizedException: Valid user credentials are required.
at com.google.api.server.spi.request.ServletRequestParamReader.deserializeParams(ServletRequestParamReader.java:161)
at com.google.api.server.spi.request.RestServletRequestParamReader.read(RestServletRequestParamReader.java:161)
at com.google.api.server.spi.SystemService.invokeServiceMethod(SystemService.java:347)
at com.google.api.server.spi.handlers.EndpointsMethodHandler$RestHandler.handle(EndpointsMethodHandler.java:127)
at com.google.api.server.spi.handlers.EndpointsMethodHandler$RestHandler.handle(EndpointsMethodHandler.java:110)
at com.google.api.server.spi.dispatcher.PathDispatcher.dispatch(PathDispatcher.java:50)
at com.google.api.server.spi.EndpointsServlet.service(EndpointsServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848)
