Google cloud platform 对Google IAP使用Salesforce命名凭据 目标
我已经构建了一个RESTAPI,它运行在Google应用程序引擎上,受(身份感知代理)保护。我的目标是使用从Salesforce向该API发出请求(使用该功能) 上下文 多亏了a,我知道我需要使用此流来请求令牌。因此,下一步是了解如何填写Salesforce的定义: a的特性如下所示:Google cloud platform 对Google IAP使用Salesforce命名凭据 目标,google-cloud-platform,oauth-2.0,jwt,salesforce,google-iap,Google Cloud Platform,Oauth 2.0,Jwt,Salesforce,Google Iap,我已经构建了一个RESTAPI,它运行在Google应用程序引擎上,受(身份感知代理)保护。我的目标是使用从Salesforce向该API发出请求(使用该功能) 上下文 多亏了a,我知道我需要使用此流来请求令牌。因此,下一步是了解如何填写Salesforce的定义: a的特性如下所示: 证书:不适用于我的用例 标识类型:是为每个访问Salesforce的用户使用不同的凭据,还是使用单一凭据。我将使用命名的主体 身份验证协议:I表明需要JWT令牌交换 令牌端点Url:为服务帐户下载的JSON指定
https://oauth2.googleapis.com/token
openid email
/projects/NNNNN/apps/XXXXXXX
目标受众
,结果如何我认为,
目标受众
云应该是位于IAP仪表板上的iapClientId。就像刚才提到的
我认为,
目标受众
云应该是位于IAP仪表板上的iapClientId。就像刚才提到的
我写了一篇关于如何创建包括JWT字段的访问令牌的文章。我对Salescorce一无所知。一旦您拥有一个签名的JWT,您就可以将其交换为访问令牌和OIDC令牌。我在Salesforce表单中没有看到任何可以这样做的内容。仅仅签署JWT是不够的。谢谢@JohnHanley,我将阅读你的文章并编写一个客户代码,这样我至少可以了解Salesforce之外的流程。可用的选项包括OAuth 2.0、JWT和JWT令牌交换。如果您遇到困难,我可能会自愿帮助您。我非常了解GCP的这一领域。可能会成为我网站上一篇有趣的文章。通过我的网站与我联系。我写了一篇关于如何创建包括JWT字段的访问令牌的文章。我对Salescorce一无所知。一旦您拥有一个签名的JWT,您就可以将其交换为访问令牌和OIDC令牌。我在Salesforce表单中没有看到任何可以这样做的内容。仅仅签署JWT是不够的。谢谢@JohnHanley,我将阅读你的文章并编写一个客户代码,这样我至少可以了解Salesforce之外的流程。可用的选项包括OAuth 2.0、JWT和JWT令牌交换。如果您遇到困难,我可能会自愿帮助您。我非常了解GCP的这一领域。可能会成为我网站上一篇有趣的文章。通过我的网站与我联系。原来Salesforce不支持谷歌要求的特定代币交换。@AdamSherman文档中有吗?想知道你是如何发现它不受支持的吗?这是一段时间以前的@RyanDawson,但我无法使它工作,也找不到一个示例。事实上,Salesforce和Google的所有示例都是在Apex中手动完成的。你试过了吗?谢谢@AdamSherman,调查发现Salesforce不支持Google要求的特定代币交换。@AdamSherman文档中有吗?想知道你是如何发现它不受支持的吗?这是一段时间以前的@RyanDawson,但我无法使它工作,也找不到一个示例。事实上,Salesforce和Google的所有示例都是在Apex中手动完成的。你试过了吗?谢谢@AdamSherman,调查一下
import google.auth
import google.auth.app_engine
import google.auth.compute_engine.credentials
import google.auth.iam
from google.auth.transport.requests import Request
import google.oauth2.credentials
import google.oauth2.service_account
import requests
import requests_toolbelt.adapters.appengine
IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'
def make_iap_request(url, client_id, method='GET', **kwargs):
"""Makes a request to an application protected by Identity-Aware Proxy.
Args:
url: The Identity-Aware Proxy-protected URL to fetch.
client_id: The client ID used by Identity-Aware Proxy.
method: The request method to use
('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE')
**kwargs: Any of the parameters defined for the request function:
https://github.com/requests/requests/blob/master/requests/api.py
If no timeout is provided, it is set to 90 by default.
Returns:
The page body, or raises an exception if the page couldn't be retrieved.
"""
# Set the default timeout, if missing
if 'timeout' not in kwargs:
kwargs['timeout'] = 90
# Figure out what environment we're running in and get some preliminary
# information about the service account.
bootstrap_credentials, _ = google.auth.default(
scopes=[IAM_SCOPE])
if isinstance(bootstrap_credentials,
google.oauth2.credentials.Credentials):
raise Exception('make_iap_request is only supported for service '
'accounts.')
elif isinstance(bootstrap_credentials,
google.auth.app_engine.Credentials):
requests_toolbelt.adapters.appengine.monkeypatch()
# For service account's using the Compute Engine metadata service,
# service_account_email isn't available until refresh is called.
bootstrap_credentials.refresh(Request())
signer_email = bootstrap_credentials.service_account_email
if isinstance(bootstrap_credentials,
google.auth.compute_engine.credentials.Credentials):
# Since the Compute Engine metadata service doesn't expose the service
# account key, we use the IAM signBlob API to sign instead.
# In order for this to work:
#
# 1. Your VM needs the https://www.googleapis.com/auth/iam scope.
# You can specify this specific scope when creating a VM
# through the API or gcloud. When using Cloud Console,
# you'll need to specify the "full access to all Cloud APIs"
# scope. A VM's scopes can only be specified at creation time.
#
# 2. The VM's default service account needs the "Service Account Actor"
# role. This can be found under the "Project" category in Cloud
# Console, or roles/iam.serviceAccountActor in gcloud.
signer = google.auth.iam.Signer(
Request(), bootstrap_credentials, signer_email)
else:
# A Signer object can sign a JWT using the service account's key.
signer = bootstrap_credentials.signer
# Construct OAuth 2.0 service account credentials using the signer
# and email acquired from the bootstrap credentials.
service_account_credentials = google.oauth2.service_account.Credentials(
signer, signer_email, token_uri=OAUTH_TOKEN_URI, additional_claims={
'target_audience': client_id
})
# service_account_credentials gives us a JWT signed by the service
# account. Next, we use that to obtain an OpenID Connect token,
# which is a JWT signed by Google.
google_open_id_connect_token = get_google_open_id_connect_token(
service_account_credentials)
# Fetch the Identity-Aware Proxy-protected URL, including an
# Authorization header containing "Bearer " followed by a
# Google-issued OpenID Connect token for the service account.
resp = requests.request(
method, url,
headers={'Authorization': 'Bearer {}'.format(
google_open_id_connect_token)}, **kwargs)
if resp.status_code == 403:
raise Exception('Service account {} does not have permission to '
'access the IAP-protected application.'.format(
signer_email))
elif resp.status_code != 200:
raise Exception(
'Bad response from application: {!r} / {!r} / {!r}'.format(
resp.status_code, resp.headers, resp.text))
else:
return resp.text
def get_google_open_id_connect_token(service_account_credentials):
"""Get an OpenID Connect token issued by Google for the service account.
This function:
1. Generates a JWT signed with the service account's private key
containing a special "target_audience" claim.
2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
has a target_audience claim, that endpoint will respond with
an OpenID Connect token for the service account -- in other words,
a JWT signed by *Google*. The aud claim in this JWT will be
set to the value from the target_audience claim in #1.
For more information, see
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
The HTTP/REST example on that page describes the JWT structure and
demonstrates how to call the token endpoint. (The example on that page
shows how to get an OAuth2 access token; this code is using a
modified version of it to get an OpenID Connect token.)
"""
service_account_jwt = (
service_account_credentials._make_authorization_grant_assertion())
request = google.auth.transport.requests.Request()
body = {
'assertion': service_account_jwt,
'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
}
token_response = google.oauth2._client._token_endpoint_request(
request, OAUTH_TOKEN_URI, body)
return token_response['id_token']