EspAuthenticator fails when audience contains service name with the protocol #18
Description
We are trying to use EspAuthenticator to secure our endpoint as described in the documentation. One of the clients is a Java server application running on GKE, and we adopted the Python code from Service-to-Service Authentication documentation page to use the GKE service account to sign a JWT assertion and send it to the accounts.google.com authorization server to get a Google ID token for further requests. Here is the decoded token payload:
{
"iss": "accounts.google.com",
"iat": 1482191821,
"exp": 1482195421,
"aud": "https://[SERVICE_NAME]",
"sub": "118282247168390088452",
"email_verified": true,
"azp": "[SERVICE_ACCOUNT_EMAIL]",
"email": "[SERVICE_ACCOUNT_EMAIL]"
}Note that the audience (aud) of this token includes the protocol (https://). It is exactly the same as the target_aud we requested from the authorisation server, and it has to be like that as the server will fail if the protocol is not provided. The Service-to-Service Authorisation doc also confirms that protocol should be included:
Replace
TARGET_AUDwithhttps://[SERVICE_NAME], where[SERVICE_NAME]is the value of the host entry in the API configuration file, for example,YOUR-SERVER-PROJECT-ID.appspot.com
However, on the endpoint side EspAuthenticator fails to accept the request:
com.google.api.server.spi.auth.EspAuthenticator authenticate
WARNING: Authentication failed: com.google.api.auth.UnauthenticatedException: Audiences not allowed
Debugging the code that generates this error we can see that it is designed to accept the request if the token audience matches the service name. However, it does not accept it as the audience includes the protocol and service name does not.
We were able to proceed with the workaround of using @Api.audiences to whitelist https://[SERVICE_NAME], but it's not very convenient as we have to whitelist all service names used by different environments (eg. development, test and production). We would appreciate any feedback on whether it is an issue of the EspAuthenticator or our setup.