ServiceAccountJwtAccessCredentials example?

googleapis / google-auth-library-php

Google Auth Library for PHP

Apache License 2.0

1.31k stars 188 forks source link

ServiceAccountJwtAccessCredentials example? #552

Open grandpaslab opened 2 months ago

grandpaslab commented 2 months ago

I'm attempting to use ServiceAccountJwtAccessCredentials to connect to a 3rd-party google cloud endpoint. AFAICT there's no example for using this class, and I haven't been able to get it to work. I've got a python example working, so I know the audience and whatnot are correct. I've cobbled together some code based on the ServiceAccountCredentials example, but I can't tell what I'm doing wrong. The error I'm getting from the API is 401: "jwt is missing".

$path = 'cred.json';
$sa = new ServiceAccountJwtAccessCredentials($path);

$metadata = $sa->updateMetadata(
    [
       'issuer' => 'ham@sandwich.iam.gserviceaccount.com',
       'client_email' => 'ham@sandwich.iam.gserviceaccount.com',
       'audience' => 'https://ham-sandwich.a.run.app'
    ],
    "https://accounts.google.com/o/oauth2/auth" # auth_uri
);

$middleware = new AuthTokenMiddleware($sa); 
$stack = HandlerStack::create(); 
$stack->push($middleware);
$client = new Client([ 
    'handler' => $stack, 
    'base_uri' => $BASE_URI, 
    'auth' => 'google_auth'
]);

$res = $client->request('POST', $SERVICE_URI, [
    ['body' => json_encode($quote_data)]
]);

Can an example for using this class be added to the docs?

Hectorhammett commented 1 month ago

Hello @grandpaslab!

By any chance, have you had the opportunity to debug if the token is being sent to the 3rd party at all? Or is it completely missing?

grandpaslab commented 1 month ago

Hi @Hectorhammett,

Unfortunately no. I gave up and wrote a separate microservice in python that just gets the JWT. Would've been nice to keep it in PHP, since this was for a Wordpress integration, but I didn't have time to fight with it anymore.

Hectorhammett commented 3 weeks ago

That's weird, nothing stands up as being wrong with this. I wonder if the 3rd party was not sending the token to the google API but the mention that Python works makes me doubt that, will take a deeper look and confirm if there is a bug in the code or not.

Thanks for the message!

bshaffer commented 2 weeks ago

@grandpaslab The issue is that either a $scope or $authUri are required to use the Self Signed JWTs, and since AuthTokenMiddleware does not pass in an $authUri (this may be something that python does... if so we may be able to fix it...), you need to add scopes as the second argument when creating the ServiceAccountJwtAccessCredentials class if you want this to work:

$path = 'cred.json';
$scope = 'https://www.googleapis.com/auth/cloud-platform';
$sa = new ServiceAccountJwtAccessCredentials($path, $scope);

Additionally, you seem to be calling updateMetadata for no reason

I am curious what the behavior of Python is, as we typically try to have feature and behavior parity with their implementation. Would you be able to provide us with a sample of what you're doing?