1

I am trying to deploy my openApi document by running this:

gcloud endpoints services deploy <OPENAPI_DOC>

I am able to see new 'config_id' generated successfully and my openApi document is deployed successfully. However when I hit(from a javascript client) one of the endpoint declared in openApi document, I am not able to see the 'X-Endpoint-API-UserInfo' header being passed. I need that that header value to cast it to a Java object. One of the work around I could think of is that I can use the 'Authorization' header instead. But when I went through this, it is mentioned that:

'ESP will send the authentication result in the X-Endpoint-API-UserInfo to the backend API. It is recommended to use this header instead of the original Authorization header.'

So, want to know why is it not recommended to use 'Authorization' header. Are there any security concerns. If yes, what are they?

Thank you!

VMA
  • 89
  • 1
  • 4
  • 16

1 Answers1

1

It is noted in the users-custom#receiving_authenticated_results_in_your_api documentation that ESP usually forwards all headers it receives. However, it overrides the original Authorization header when the backend address is specified by x-google-backend in OpenAPI specification or BackendRule in gRPC service configuration.

ESP will send the authentication result in the X-Endpoint-API-UserInfo to the backend API. It is recommended to use this header instead of the original Authorization header.

I also found a link swagger-with-google-oauth-2-0-authorization where it is mentioned that the Redirect URL can be changed by using the oauth2RedirectUrl parameter in the SwaggerUIBundle({ ... }) constructor in your index.html. Make sure to actually host the oauth2-redirect.html page at this custom location, and also register this redirect URL in Google Cloud Console.

There are also some OpenAPI feature limitations on Endpoints. You can find the limitations of URL path templating on this link limitations.

I hope you find this information useful.

Alva Santi
  • 75
  • 5