API网关/代理配置中API访问令牌的NGINX服务调用
我有一个nginx网关,其配置类似于使用nginx Javascript mod(njs)的googlecloudapi的API网关反向代理 我的default.conf如下所示:API网关/代理配置中API访问令牌的NGINX服务调用,nginx,google-cloud-platform,njs,Nginx,Google Cloud Platform,Njs,我有一个nginx网关,其配置类似于使用nginx Javascript mod(njs)的googlecloudapi的API网关反向代理 我的default.conf如下所示: js_include conf.d/oauth2.js; # Location of JavaScript code js_set $gToken getGoogleAccessToken; server { listen 80; server_name test.apigat
js_include conf.d/oauth2.js; # Location of JavaScript code
js_set $gToken getGoogleAccessToken;
server {
listen 80;
server_name test.apigateway.com;
location / {
proxy_set_header Authorization $gToken;
proxy_pass https://GoogleApithatRequiresAuthentcationURL;
}
location /_oauth_google {
internal;
proxy_method GET;
proxy_set_header Authorization "";
proxy_pass http://localhost:19006/get-token;
}
function getGoogleAccessToken(r) {
r.subrequest('/_oauth_google',
function(reply) {
if (reply.status == 200) {
var response = JSON.parse(reply.responseBody);
if (response.access_token !== undefined) {
r.log(response.access_token)
return("Bearer " + response.access_token); // Token is valid, return token
} else {
r.return(401); // Token is invalid, return forbidden code
}
} else {
r.return(401); // Unexpected response, return 'auth required'
}
}
)
}
我的oath2.js njs(Javascript)如下所示:
js_include conf.d/oauth2.js; # Location of JavaScript code
js_set $gToken getGoogleAccessToken;
server {
listen 80;
server_name test.apigateway.com;
location / {
proxy_set_header Authorization $gToken;
proxy_pass https://GoogleApithatRequiresAuthentcationURL;
}
location /_oauth_google {
internal;
proxy_method GET;
proxy_set_header Authorization "";
proxy_pass http://localhost:19006/get-token;
}
function getGoogleAccessToken(r) {
r.subrequest('/_oauth_google',
function(reply) {
if (reply.status == 200) {
var response = JSON.parse(reply.responseBody);
if (response.access_token !== undefined) {
r.log(response.access_token)
return("Bearer " + response.access_token); // Token is valid, return token
} else {
r.return(401); // Token is invalid, return forbidden code
}
} else {
r.return(401); // Unexpected response, return 'auth required'
}
}
)
}
在上有一个伴随令牌服务http://localhost:19006/get-mints RS-SHA256 JWT(见下面的代码)的令牌,并管理和返回Google访问令牌。这项服务没有问题
在调试模式下,代码几乎按照NGINX日志文件运行。尽管r.log(response.access_token)已写入调试日志,但当代理调用Google API时,$gToken的值似乎为null或空
日志似乎表明对js_的调用设置了$gToken getGoogleAccessToken代码>未阻塞,因此
proxy\u passhttps://GoogleApithatRequiresAuthentcationURL
在设置$gToken
之前执行。js_set
的文档表明,应在首次访问变量时对其进行设置,以便在调用proxy_set_头授权$gToken
时进行设置;调用的调试日志中不存在授权标头https://GoogleApithatRequiresAuthentcationURL
任何如何使这项工作的想法将不胜感激。没有任何真正好的nginx方法需要令牌来代理API
以下是管理NGINX代理的google令牌的google令牌服务的工作代码,但这可以适用于其他令牌服务:
const jsrsasign = require('jsrsasign');
const fs = require('fs');
const axios = require('axios');
const express = require('express');
const port = process.env.PORT || 19006;
const app = express();
const NodeCache = require( "node-cache" );
const myCache = new NodeCache();
var querystring = require('querystring');
app.get('/get-g-token', async (req, res) => {
var gToken = myCache.get("gToken");
if (gToken === undefined) {
const sJWT = getJWT();
try{
const resp = await getGoogleToken(sJWT);
console.log(resp.data);
myCache.set( "gToken", resp.data, 3550 )
res.status = resp.status;
res.send(resp.data);
}
catch(err){
console.log(err);
res.status = 500;
res.send(err.message);
}
}
res.status = 200;
res.send(gToken);
});
function getJWT(){
var kid = "yourgooogleprivatekeyid";
var header = {
"alg": "RS256",
"kid": kid,
"typ": "JWT",
};
var data = {
exp: Math.round(new Date().getTime() / 1000) + 3600,
iat: Math.round(new Date().getTime() / 1000),
iss: "service-account@project.iam.gserviceaccount.com",
aud: "https://oauth2.googleapis.com/token",
scope: "https://www.googleapis.com/auth/cloud-platform",
};
var secret = fs.readFileSync('location-of-service-account.pem');
console.log(secret.toString());
console.log(header);
console.log(data);
var sPayload = JSON.stringify(data);
var sJWT = jsrsasign.KJUR.jws.JWS.sign("RS256", header, sPayload, secret.toString());
console.log(sJWT);
return sJWT;
}
async function getGoogleToken(sJWT) {
try {
let config = {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
}
}
const data = {
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: sJWT
}
return axios.post('https://oauth2.googleapis.com/token', querystring.stringify(data), config)
} catch (err) {
return err;
}
}
app.listen(port, () => {
console.log(`Listening on port ${port}`);
});