This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Google Cloud Endpoints with Firebase user authentication shows "Jwt issuer is not configured"

Posted on 12-13-2022 07:48 PM
alx-andru
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hey everyone, 

We're using Google Cloud Endpoints deployed serverless on Cloud Run using the ESPv2 image (2.40.0) with several schemas. The deployment and service itself seem to work quite well, but we've run into an issue regarding a JWT authentication for one of the stitched services. 

We have followed the documentation on Using Firebase to authenticate users, however, we're seeing requests returning a 401 status with the following message:

{
  "code": 401,
  "message": "Jwt issuer is not configured"
}

According to the Troubleshooting JWT validation this can happen if the cloud run instance running the ESPv2 is not deployed with the `--allow-unauthenticated`. In our case we are setting the flag and can verify the setting in the cloud console. 

The issuer and audience of the token matches the values in the swagger file that is deployed into the ESPv2. 
Are there any ways for us to debug further and identify the underlying issue? From the response and logs it looks like either the ESPv2 or the actual Clour Run instance are trying to validate the token against a miss-matching issuer. 

0 2 952
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
christianpaula
Staff
Reply posted on --/--/---- --:-- AM

Hi @alx-andru,

Welcome to Google Cloud Community!

 

If you are using Google Cloud Endpoints with Firebase user authentication, and you are seeing the error "Jwt issuer is not configured", this may be because the JWT issuer and audience values in your swagger file do not match the values of the token that is being sent in the request. To resolve this issue, you will need to verify that the JWT issuer and audience values in your swagger file match the values of the token that is being sent in the request.
 
Additionally, you should also make sure that you are deploying your Cloud Run instance with the --allow-unauthenticated flag, as this is necessary for JWT authentication to work.
 
If you are still seeing the error after checking these things, you may want to check the Cloud Run logs to see if there are any additional error messages that can help you determine the cause of the issue. You can also try using a tool like Postman to send a request to the endpoint with the JWT token, to see if you get the same error message. If you continue to have issues, you may want to consider reaching out to the Google Cloud support team for more help.
 
Thank you.

Posted on --/--/---- --:-- AM
alx-andru
Bronze 2
Bronze 2
In response to christianpaula
Reply posted on --/--/---- --:-- AM

Hey @christianpaula , 
thank you for the warm welcome and the thorough response. 

We found the underlying issue. A few notes on how we approached it. 

Start ESPv2 in debug mode via `--enable_debug` as a startup option. 
We saw in the logs that indeed, the wrong audience was registered for a security definition. 
In our case, we're using multiple API configuration files to manage multiple backwards-incompatible versions of endpoints as well as stitching multiple services into a single API Gateway (not to mixup with the API Gateway solution in GCP). 
During the deployment those get combined into a single configuration and by mistake we had two separate securityDefinitions with the same name but different audiences. 
From our observation the "last" registered wins. 

To solve this, we provided unique names to security definitions per individual openapi definition. 




0 Likes