如何针对 GCP Cloud Run 上的联合 GraphQL 服务进行身份验证?
[英]How to authenticate against federated GraphQL service on GCP Cloud Run?
问题描述
I have a series of microservices on GCP Cloud Run that are each hosting a federated Apollo GraphQL service.
我在 GCP Cloud Run 上有一系列微服务,每个微服务都托管一个联合的 Apollo GraphQL 服务。 I then have one last container which is acting as a federated GraphQL gateway for the rest of the services.然后我有最后一个容器,它充当其余服务的联合 GraphQL 网关。
This works fine when public access is enabled on the containers but I cannot get the gateway server to authenticate against the other two services.当在容器上启用公共访问时,这工作正常,但我无法让网关服务器对其他两个服务进行身份验证。
I have tried using the Apollo RemoteGraphQLDataSource and implementing the willSendRequest method to set the neccessary headers.我曾尝试使用 Apollo RemoteGraphQLDataSource 并实现 willSendRequest 方法来设置必要的标头。
I have also tried adding the cloud run invoker role to the service role that the gateway runs as.我还尝试将云运行调用者角色添加到网关运行的服务角色中。
const servicex = new RemoteGraphQLDataSource({
url: serviceurl,
willSendRequest({ request, context }) {
request.http.headers.set(
"Authorization",
"Bearer ${TOKEN}"
);
}
});
const gateway = new ApolloGateway({
serviceList: [
servicex
]
});
const { schema, executor } = await gateway.load();
const server = new ApolloServer({ schema, executor })
I expect the gateway server to be able to authenticate against the other microservices.我希望网关服务器能够针对其他微服务进行身份验证。
1 个解决方案
解决方案1
1 2019-07-01 20:21:41
Cloud Run authorization requires an OAuth 2.0 Identity Token in your authorization: bearer TOKEN HTTP header. Cloud Run 授权需要在您的authorization: bearer TOKEN使用 OAuth 2.0 身份令牌authorization: bearer TOKEN HTTP 标头。 A common mistake is to use an Access Token.一个常见的错误是使用访问令牌。
Unless you have specified a new service account in your deploy command, Cloud Run uses the Compute Engine Default Service Account as its identity.除非您在部署命令中指定了新的服务帐号,否则 Cloud Run 会使用 Compute Engine 默认服务帐号作为其身份。 This means you need to specify the Service Account email address for the role/run.Invoker .这意味着您需要为role/run.Invoker指定服务帐户电子邮件地址。
When you authorize with OAuth for User Credentials, you can receive three tokens: Access Token, Refresh Token and Identity Token depending on what you have specified in the Scopes parameter.当您使用 OAuth 授权用户凭据时,您可以收到三个令牌:访问令牌、刷新令牌和身份令牌,具体取决于您在 Scopes 参数中指定的内容。 The Identity Token is what you use in your HTTP Authorization header.身份令牌是您在 HTTP 授权标头中使用的。
When you authorize service-to-service using a service account identity, call the Cloud Run metadata server to create a token for you.当您使用服务帐号身份授权服务到服务时,调用 Cloud Run 元数据服务器为您创建令牌。 This endpoint will return an Identity Token.该端点将返回一个身份令牌。 Use the returned token in your HTTP Authorization header.在您的 HTTP 授权标头中使用返回的令牌。
http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=<ususally-the-url-of-the-cloud-run-service-you-are-calling>
The returned token is a Signed JWT that you can decode.返回的令牌是可以解码的签名 JWT。 Typical base64 encoding of header.payload.signature. header.payload.signature 的典型 base64 编码。 The payload contains the email address of the service account and this email address is what the Cloud Run Proxy uses for authorization.负载包含服务帐号的电子邮件地址,此电子邮件地址是 Cloud Run Proxy 用于授权的地址。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.