1

I have a simple node.js function inside Google Cloud Function (that is called from inside my website's code) and I used previously the id_token that I got when I'm connected inside Google Cloud SDK and use this: gcloud auth print-identity-token, but it only last 60 minutes, so after that my application can't use anymore the google cloud function.

So I tried to generate my own token with the help of the service account key: https://cloud.google.com/docs/authentication/production#create_service_account

But I always got a "401 Unauthorized" when I call my link with the "Authorization: Bearer token" header

Maybe it's because I don't know what to put inside the "aud" value (inside the payload array)

<?php namespace MyProject\Parser; use Firebase\JWT\JWT; use GuzzleHttp\Client; abstract class GoogleCloudParser extends AbstractParser { /** * Returns the HTML for the given URL * @param string $url * @return string * @throws \GuzzleHttp\Exception\GuzzleException */ protected function getHTML(string $url): string { $cloudFunctionURL = "https://region-project-name.cloudfunctions.net/function-name"; $token = $this->getToken(); $guzzle = new Client(); $response = $guzzle->get($cloudFunctionURL, [ 'query' => ['url' => $url], 'headers' => [ 'Authorization' => "Bearer " . $token ] ]); return $response->getBody()->getContents(); } /** * Returns the authentification token for google cloud * @return string */ protected function getToken() { $privateKey = "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"; $publicKey = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"; $payload = [ 'iss' => '[email protected]', 'sub' => '[email protected]', 'aud' => 'bucket-name', 'iat' => time(), 'exp' => (time() + 3600) ]; $header = [ "alg" => "RS256", "typ" => "JWT", "kid" => "private_key_id_of_app_engine_default_service-account" ]; $token = JWT::encode($payload, $privateKey, $header["alg"], $header["kid"]); return $token; } }

I tried multiple thing to put on the "aud" but I don't know what to use... I tried to use the bucket name that I got with this: https://github.com/GoogleCloudPlatform/php-docs-samples/blob/78356e87cc54c1d46df52c0d2f47320329957ce5/auth/src/auth_api_explicit.php

With the cmd line: php src/auth_api_explicit.php myGoogleProjectID gcloud-service-account-file.json

I tried to use "https://cloudfunctions.googleapis.com/"...

I tried to put the full link of my function name inside the google cloud functions.

And I think I have set up everything inside the IAM & Google Cloud platform for my service account.

Any help on this please?

Improve this question

1 Answer 1

Reset to default
2

I kinda confused looking at your code because the use says Firebase\JWT\JWT; but the service account that you are using for the custom token says App-Engine-default-service-account and in the aud you have a bucket name. After looking for a while I found out that to avoid the 401 error you need to ensure that the service account is authorized in the Domain-wide delegation page of the Admin console for the user in the sub claim (field).

Regarding what you could put in the aud you can try to put https://firebase.googleapis.com/ but again I am not totally sure of this because I am a little confuse with your code.

Best regards.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I don't know where the Domain-wide delegation is... I tried to find it but no luck so far...
I think that the best way to go now is to make an authorized API call, you need to follow 3 steps the is create the SWT, request an access token from google OAuth 2.0 authorization server and at last you need to handle the response that you get in return, since you question is what to put in the aud you can put https://oauth2.googleapis.com/token, but to avoid any further trouble you can check this documentation that explain what I just told you
Hello, So I found a solution and used https://www.googleapis.com/oauth2/v4/token inside aud and then used the response id_token to use it as Bearer token authorization and it worked. Thanks for your help!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.