I'm completely open to correction on this but it looks like perhaps Google Cloud ESPv2 may not properly implement optional security - it seems to insist on a JWT even when it is only one of the methods and the other is no security. Of course, I may just have the syntax wrong...
Everything else is set up OK, my app works generally, but for this one method where I would like optional authentication it insists on a JWT. (I would like: if there's a valid JWT then fine, pass on the info, and if there's not a JWT at all that's OK. If there's an invalid JWT it should fail).
In release 2.21.0 of ESPv2 it apparently supports optional authentication (through that Envoy allow_missing flag - it was added specifically to support the possiblity of an API having an optional credential - although I suspect that might only work if there's also an API key but accoring to the user qiwzhang that shouldn't be relevant): https://github.com/GoogleCloudPlatform/esp-v2/issues/353
That suggests it wasn't supported before it. However as I'm using ESPv2 Build 2.44.0 it shouldn't be an issue. (I've checked on Github, the code is still there in Master although it has been moved and refactored over time).
It is a property that can be in the API config that ESPv2 pulls back from Service Management: https://cloud.google.com/service-infrastructure/docs/service-management/reference/rest/v1/services.configs#authenticationrule
It's a boolean there and is called allowWithoutCredential, which is what the original feature request referred to.
There's an existing question on SO here: Google ESP optional auth but it's almost 3 years old and refers to ESPv1. This question is about ESPv2 so I have asked a new question.
The question is simple: how to specify in yaml for Endpoints that authentication is optional. ESPv2 reads its config from Service Management. I'm deploying to Service Management (Endpoints) using gcloud and deploying YAML.
For the particular method, YAML is:
/secureinfo:
get:
tags:
- "api"
summary: "Get Secure Information"
description: "Returns Secure Information"
operationId: "getSecureInfo"
security:
- {}
- app_jwk: []
responses:
"200":
description: "successful operation"
schema:
$ref: "#/definitions/InfoDetails"
"400":
description: "Client Error"
Anyway, I have tried the yaml above (specifically the security part having none and a specified one) as suggested in the other SO question but it doesn't work - it always return 401 with "Jwt is missing" if I don't supply a JWT.
Just FYI: My methods that require a JWT work as intended. My methods that don't take a JWT work as intended. The problem is I cannot seem to have an optional JWT even though other things suggest that I can.
So the question is: how do I specify on a particular method, via yaml that I am uploading to Endpoints (gcloud endpoints deploy), that the security for that method is no security or a JWT.....ie optional security?
