allowed_client_ids is not supported in @endpoints.api
Opened this issue · 1 comments
According to documentation below, allowed_clients_id is supported in both @endpoints.api and @endpoints.method, with the specific setting override the general setting.
When I have allowed_clients_id defined in @endpoints.method and it validates the JWT fine.
When I moved allowed_clients_id to @endpoints.api, it gives the following error:
Cannot decode and verify the auth token. The backend will not be able to retrieve user info
Traceback (most recent call last):
File "/base/data/home/apps/p~cds-dev-155819/stdendpoints:test-client-id.401183766245752589/lib/endpoints_management/control/wsgi.py", line 593, in __call__
service_name)
File "/base/data/home/apps/p~cds-dev-155819/stdendpoints:test-client-id.401183766245752589/lib/endpoints_management/auth/tokens.py", line 104, in authenticate
raise suppliers.UnauthenticatedException(u"Audiences not allowed")
UnauthenticatedException: Audiences not allowed
I've just stumbled on the same bug.
The allowed_clients_id
configuration doesn't work when specified in @endpoints.api
level. So basically, if you set the audience
argument in @endpoints.api
, you can access the API with any service account that uses the same audience
value when generating Google ID token and it doesn't matter what is set in allowed_clients_id
.
At the same time everything works as expected when allowed_clients_id
is configured in @endpoints.method
.
This actually looks like a pretty serious security issue and there have been no comments on it for over eight months now. Could please someone have a look into this and at least confirm the issue?