有没有办法验证从非谷歌应用程序到谷歌云功能的 http 请求?
[英]Is there a way to authenticate http requests from a non-Google app to Google Cloud Functions?
问题描述
When I read Google Cloud Functions' documentation on authentication, it seems the available authentication methods can only be used to authenticate a Google user or another Google Service (Service Account).
当我阅读 Google Cloud Functions 关于身份验证的文档时,似乎可用的身份验证方法只能用于对 Google 用户或其他 Google 服务(服务帐户)进行身份验证。
Well, I have a use case where I want to authenticate webhooks that come from apps like Monday.com and Clockify.好吧,我有一个用例,我想对来自 Monday.com 和 Clockify 等应用程序的 Webhook 进行身份验证。 I want events in those apps to trigger my Cloud Function and I want this to be secure and possibly even GDPR compliant.我希望这些应用程序中的事件触发我的 Cloud Function,我希望它是安全的,甚至可能符合 GDPR。 Is there any reliable way to authenticate requests received from those apps?有没有可靠的方法来验证从这些应用程序收到的请求? Have I missed something in Google's documentation, products, and features or is there actually no way for this to be done?我是否遗漏了 Google 的文档、产品和功能中的某些内容,或者实际上没有办法做到这一点?
2 个解决方案
解决方案1
0 2022-03-30 07:53:32
If those services support computation, such as signing data and calling endpoints then possibly.如果这些服务支持计算,例如签署数据和调用端点,那么可能。 I am not aware of their interfaces or features.我不知道他们的界面或功能。 Most services do not provide computation as part of a webhook.大多数服务不提供计算作为 webhook 的一部分。
Google uses OAuth Identity Tokens for service authentication. Google 使用 OAuth Identity Tokens 进行服务认证。 This requires creating a JWT, signing it with an RSA private key, etc.这需要创建一个 JWT,用 RSA 私钥对其进行签名等。
For interfaces that cannot meet the requirements of generating an identity token, I often use a simple secret value (a large random 128-bit number) and pass that secret as a custom HTTP header value.对于不能满足生成身份令牌要求的接口,我经常使用一个简单的秘密值(一个大的随机 128 位数字)并将该秘密作为自定义值 HTTP header 传递。 Inside my Function application, I check the header for the correct secret.在我的 Function 应用程序中,我检查 header 以获取正确的密码。 If there is no match, drop the connection or return an error.如果不匹配,则断开连接或返回错误。 If valid continue processing.如果有效继续处理。
The best solution is to use Google Identity-based authorization but that is not always possible with some services.最好的解决方案是使用基于 Google Identity 的授权,但某些服务并不总是可行。
解决方案2
0 2022-03-30 14:23:07
The solution of John is one possible solution, that we used a lot in my previous company. John 的解决方案是一种可能的解决方案,我们在我以前的公司中使用了很多。
However, you have also another solution, based on API key.但是,您还有另一种解决方案,基于 API 密钥。 I wrote and article on that.我就此写了文章。 It's pretty old and you can now use API Gateway (which is a managed solution of ESPv2) but the principle and the APISpec code are the same它已经很老了,你现在可以使用 API 网关(这是 ESPv2 的托管解决方案)但是原理和 APISpec 代码是相同的
Keep in mind that, in term of security, it's still a long lived token, as John solution, and it's not better.请记住,就安全性而言,它仍然是一个长期存在的令牌,作为 John 的解决方案,而且并没有更好。 You simply have additional feature, like rate limiting (another article)您只需拥有附加功能,例如速率限制(另一篇文章)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.