我一直在开发一个 gRPC 服务,该服务需要能够接收来自经过 Firebase 身份验证的浏览器的调用。在出现此 409 错误之前,我一切正常,但似乎找不到更多信息。
我现在会尽力提供尽可能多的信息。
编码
这是我的 k8s 清单
apiVersion: v1
kind: Service
metadata:
name: esp-grpc-environment
spec:
ports:
# Port that accepts gRPC and JSON/HTTP2 requests over HTTP.
- port: 80
targetPort: 9090
protocol: TCP
name: http2
selector:
app: esp-grpc-environment
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: esp-grpc-environment
spec:
replicas: 1
template:
metadata:
labels:
app: esp-grpc-environment
spec:
containers:
- name: esp
image: gcr.io/endpoints-release/endpoints-runtime:1
args: [
"--http_port=9090",
"--service=environment.endpoints.<project_id>.cloud.goog",
"--rollout_strategy=managed",
"--backend=grpc://127.0.0.1:8000",
"--cors_preset=basic",
"--cors_allow_headers=Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization",
"--cors_expose_headers=grpc-status,grpc-message,authorization",
"--enable_debug"
]
ports:
- containerPort: 9090
- name: environment
image: terrariumai/environment:0.0.1
imagePullPolicy: Always
ports:
- containerPort: 8000
我的端点配置
type: google.api.Service
config_version: 3
name: environment.endpoints.<project_id>.cloud.goog
title: Environment gRPC API
apis:
- name: endpoints.terrariumai.environment.Environment
authentication:
providers:
- id: firebase
jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
issuer: https://securetoken.google.com/<project_id>
rules:
- selector: "*"
requirements:
- provider_id: firebase
usage:
rules:
- selector: endpoints.terrariumai.environment.Environment.CreateEntity
allow_unregistered_calls: true
这是我的服务配置的链接
这就是我调用 API 的方式
import {
CreateEntityRequest
} from "../api/environment_pb";
this.props.firebase
.auth()
.currentUser.getIdToken(/* forceRefresh */ true)
.then(function(idToken) {
var service = new EnvironmentClient(addr, null, null);
var request = new CreateEntityRequest();
var metadata = {
authorization: `Bearer ${idToken}`
};
console.log(idToken);
service.createEntity(request, metadata, (err, resp) => {
if (err) {
console.log("Got error: ", err);
}
console.log("Resp: ", resp);
});
})
错误
所以此时我在浏览器中收到此错误
POST http://<external-ip>/endpoints.terrariumai.environment.Environment/CreateEntity 403 (Forbidden)
这是来自/var/log/nginx/error.log的相关内容(但不是全部,我认为这应该足够了)
2019/07/11 00:06:44 [debug] 9#9: *8 HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 11 Jul 2019 00:06:44 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Bearer, error="invalid_token"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Keep-Alive,User-Agent,Cache-Control,Content-Type,Content-Transfer-Encoding,X-Accept-Content-Transfer-Encoding,X-Accept-Response-Streaming,X-User-Agent,X-Grpc-Web,Grpc-Timeout,Authorization,authorization
Access-Control-Expose-Headers: grpc-status,grpc-message,authorization
2019/07/11 00:06:44 [debug] 9#9: *8 write new buf t:1 f:0 000056541D4E9778, pos 000056541D4E9778, size: 618 file: 0, size: 0
2019/07/11 00:06:44 [debug] 9#9: *8 http write filter: l:0 f:0 s:618
2019/07/11 00:06:44 [debug] 9#9: *8 http output filter "/endpoints.terrariumai.environment.Environment/CreateEntity?"
2019/07/11 00:06:44 [debug] 9#9: *8 ESP error message: JWT validation failed: Audience not allowed
2019/07/11 00:06:44 [debug] 9#9: *8 send error response: {
"code": 7,
"message": "JWT validation failed: Audience not allowed",
"details": [
{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}
]
}
我真的不确定如何进一步调试。我试着查了一下,我能找到的唯一文档说也许 Firebase 在标题中设置了不正确的“aud”值?任何见解将不胜感激!