[英]Mixed Content error when requesting ID token through Google Auth Library in App Engine
I am trying to authenticate my app running in App Engine to call a Cloud Run service.我正在尝试验证我在 App Engine 中运行的应用程序以调用 Cloud Run 服务。 To get so I request an OAuth 2 token through the Google Auth library (getIdTokenClient method) as looks to be the recommended approach here https://github.com/googleapis/google-auth-library-nodejs#working-with-id-tokens .
为此,我通过 Google Auth 库(getIdTokenClient 方法)请求 OAuth 2 令牌,这似乎是此处推荐的方法https://github.com/googleapis/google-auth-library-nodejs#working-with-id-代币。
The following error is raised from my app when OAuth 2 is trying to access the Google metadata:当 OAuth 2 尝试访问 Google 元数据时,我的应用程序会引发以下错误:
gaxios.ts:91 Mixed Content: The page at 'https://myapp-dev.nw.r.appspot.com/' was loaded over HTTPS, but requested an insecure resource 'http://169.254.169.254/computeMetadata/v1/instance'. gaxios.ts:91 混合内容:“https://myapp-dev.nw.r.appspot.com/”的页面已通过 HTTPS 加载,但请求了不安全的资源“http://169.254.169.254/computeMetadata/” v1/实例'。 This request has been blocked;
此请求已被阻止; the content must be served over HTTPS.
内容必须通过 HTTPS 提供。
Following my piece of code:按照我的一段代码:
const {GoogleAuth} = require('google-auth-library');
const url = 'https://myapp-dev-fvnpywgyfa-nw.a.run.app';
const auth = new GoogleAuth();
const serviceRequestOptions = {
method: 'GET',
headers: {
'Content-Type': 'text/plain',
},
timeout: 3000,
};
try {
// Create a Google Auth client with the Renderer service url as the target audience.
if (!client) client = await auth.getIdTokenClient(url);
// Fetch the client request headers and add them to the service request headers.
// The client request headers include an ID token that authenticates the request.
const clientHeaders = await client.getRequestHeaders();
serviceRequestOptions.headers['Authorization'] =
clientHeaders['Authorization'];
} catch (err) {
throw Error('could not create an identity token: ', err);
}
gaxios.ts:91 Mixed Content: The page at
https://myapp-dev.nw.r.appspot.com/
was loaded over HTTPS, but requested an insecure resourcehttp://169.254.169.254/computeMetadata/v1/instance
.gaxios.ts:91 混合内容:位于
https://myapp-dev.nw.r.appspot.com/
的页面已加载到 HTTPS,但请求了不安全的资源http://169.254.169.254/computeMetadata/v1/instance
. This request has been blocked;此请求已被阻止; the content must be served over HTTPS
内容必须通过 HTTPS 提供
Su.net 169.254.0.0/16 is an IANA special use.net ( rfc3330 ) for "Link-Local" block ( rfc3927 ). Su.net 169.254.0.0/16 是 IANA 特殊 use.net ( rfc3330 ) 用于“Link-Local”块 ( rfc3927 )。 This su.net are not routed to the public inte.net, therefore is accessible in local segment only.
此 su.net 未路由到公共 inte.net,因此只能在本地网段访问。
URL http://169.254.169.254/computeMetadata/v1/instance
is used as an internal link-local address in Cloud Services such as AWS , Yandex Cloud , Google Cloud Platform (GCP also uses http://metadata.google.internal/computeMetadata/v1/instance
URL) to get information about a VM instance. URL
http://169.254.169.254/computeMetadata/v1/instance
在AWS 、 Yandex Cloud 、 谷歌云平台等云服务中用作内部链接本地地址(GCP也使用http://metadata.google.internal/computeMetadata/v1/instance
URL) 以获取有关 VM 实例的信息。
IP address 169.254.169.254 is accessible only via http: because it works in private internal.network, where SSL-certs cannot be verified (see para 1 - no route to Public .net). IP 地址 169.254.169.254 只能通过 http 访问:因为它在私有 internal.network 中工作,无法验证 SSL 证书(请参阅第 1 段 - 无法通往公共 .net)。
Therefore if your app tries to access http://169.254.169.254/computeMetadata/v1/instance
- you definitely did something wrong.因此,如果您的应用程序尝试访问
http://169.254.169.254/computeMetadata/v1/instance
- 您肯定做错了什么。 This address cannot be accessed by easy way无法通过简单的方式访问该地址
May be Using OAuth 2.0 to Access Google APIs link can help you.可能使用 OAuth 2.0 访问 Google API链接可以帮助您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.