API网关/代理配置中API访问令牌的NGINX服务调用_Nginx_Google Cloud Platform_Njs

API网关/代理配置中API访问令牌的NGINX服务调用

nginx google-cloud-platform

API网关/代理配置中API访问令牌的NGINX服务调用,nginx,google-cloud-platform,njs,Nginx,Google Cloud Platform,Njs,我有一个nginx网关，其配置类似于使用nginx Javascript mod（njs）的googlecloudapi的API网关反向代理我的default.conf如下所示： js_include conf.d/oauth2.js; # Location of JavaScript code js_set $gToken getGoogleAccessToken; server { listen 80; server_name test.apigat

我有一个nginx网关，其配置类似于使用nginx Javascript mod（njs）的googlecloudapi的API网关反向代理

我的default.conf如下所示：

js_include conf.d/oauth2.js; # Location of JavaScript code
js_set $gToken getGoogleAccessToken;

server {
    listen       80;

        server_name test.apigateway.com;


        location / {
                proxy_set_header Authorization $gToken;
                proxy_pass https://GoogleApithatRequiresAuthentcationURL;
        }


        location /_oauth_google {
                internal;
                proxy_method      GET;
                proxy_set_header Authorization "";
                proxy_pass        http://localhost:19006/get-token;
        }



function getGoogleAccessToken(r) {
    r.subrequest('/_oauth_google',
        function(reply) {
            if (reply.status == 200) {
                var response = JSON.parse(reply.responseBody);
                if (response.access_token !== undefined) {
                    r.log(response.access_token)
                    return("Bearer " + response.access_token); // Token is valid, return token
                } else {
                    r.return(401); // Token is invalid, return forbidden code
                }
            } else {
                r.return(401); // Unexpected response, return 'auth required'
            }
        }
   )
}

我的oath2.js njs（Javascript）如下所示：

js_include conf.d/oauth2.js; # Location of JavaScript code
js_set $gToken getGoogleAccessToken;

server {
    listen       80;

        server_name test.apigateway.com;


        location / {
                proxy_set_header Authorization $gToken;
                proxy_pass https://GoogleApithatRequiresAuthentcationURL;
        }


        location /_oauth_google {
                internal;
                proxy_method      GET;
                proxy_set_header Authorization "";
                proxy_pass        http://localhost:19006/get-token;
        }



function getGoogleAccessToken(r) {
    r.subrequest('/_oauth_google',
        function(reply) {
            if (reply.status == 200) {
                var response = JSON.parse(reply.responseBody);
                if (response.access_token !== undefined) {
                    r.log(response.access_token)
                    return("Bearer " + response.access_token); // Token is valid, return token
                } else {
                    r.return(401); // Token is invalid, return forbidden code
                }
            } else {
                r.return(401); // Unexpected response, return 'auth required'
            }
        }
   )
}

在上有一个伴随令牌服务http://localhost:19006/get-mints RS-SHA256 JWT（见下面的代码）的令牌，并管理和返回Google访问令牌。这项服务没有问题

在调试模式下，代码几乎按照NGINX日志文件运行。尽管r.log（response.access_token）已写入调试日志，但当代理调用Google API时，$gToken的值似乎为null或空

日志似乎表明对

js_的调用设置了$gToken getGoogleAccessToken未阻塞，因此
proxy\u passhttps://GoogleApithatRequiresAuthentcationURL
在设置$gToken
之前执行。js_set
的文档表明，应在首次访问变量时对其进行设置，以便在调用proxy_set_头授权$gToken
时进行设置；调用的调试日志中不存在授权标头https://GoogleApithatRequiresAuthentcationURL
任何如何使这项工作的想法将不胜感激。没有任何真正好的nginx方法需要令牌来代理API
以下是管理NGINX代理的google令牌的google令牌服务的工作代码，但这可以适用于其他令牌服务：
const jsrsasign = require('jsrsasign');
const fs = require('fs');
const axios = require('axios');
const express = require('express');
const port = process.env.PORT || 19006;
const app = express();
const NodeCache = require( "node-cache" );
const myCache = new NodeCache();
var querystring = require('querystring');

app.get('/get-g-token', async (req, res) => {
    var gToken = myCache.get("gToken");
    if (gToken === undefined) {
      const sJWT = getJWT();
      try{
          const resp = await getGoogleToken(sJWT);
          console.log(resp.data);
          myCache.set( "gToken", resp.data, 3550 )
          res.status = resp.status;
          res.send(resp.data);
      }
      catch(err){
          console.log(err);
          res.status = 500;
          res.send(err.message);
      }
    }
    res.status = 200;
    res.send(gToken);  
});

function getJWT(){
  var kid = "yourgooogleprivatekeyid";
    var header = {
        "alg": "RS256",
        "kid":  kid,
        "typ": "JWT",
    };
    var data = {
        exp: Math.round(new Date().getTime() / 1000) + 3600,
        iat: Math.round(new Date().getTime() / 1000),
        iss: "service-account@project.iam.gserviceaccount.com",
        aud: "https://oauth2.googleapis.com/token",
        scope: "https://www.googleapis.com/auth/cloud-platform",
    };
    var secret = fs.readFileSync('location-of-service-account.pem');
    console.log(secret.toString());
    console.log(header);
    console.log(data);
    var sPayload = JSON.stringify(data);
    var sJWT = jsrsasign.KJUR.jws.JWS.sign("RS256", header, sPayload, secret.toString());
    console.log(sJWT);
    return sJWT;
}

async function getGoogleToken(sJWT)   {
    try {
      let config = {
            headers: {
              "Content-Type": "application/x-www-form-urlencoded",
            }
      } 
      const data = {
        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        assertion: sJWT
      }
      return axios.post('https://oauth2.googleapis.com/token', querystring.stringify(data), config)
    } catch (err) {
      return err;
    }
}
app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});