This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to secure API Gateway via either JWT or API key?

Posted on 11-18-2023 02:28 PM
Bryson
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi folks,

I'm configuring API Gateway to expose endpoints that can be used by my Firebase app using OAuth2. I'm trying to think of my app as just one possible client of the API. I plan to support API keys for developers to access the same functionality.

Specifying security based only on API keys or only on Firebase OAuth2 works just fine. But as soon as I specify both, there's a problem. If I invoke an endpoint without specifying a JWT, the gateway responds with:

 

{
    "code": 401,
    "message": "Jwt is missing"
}

 

I think my OpenAPI 2.0 spec conforms to the standard. Here's the relevant part of my configuration:

 

security:
  - ApiKey: []
  - Firebase: []

securityDefinitions:
  ApiKey:
    type: apiKey
    name: x-api-key
    in: header
  Firebase:
    authorizationUrl: ""
    type: oauth2
    x-google-issuer: https://securetoken.google.com/<MY_PROJECT_ID>
    x-google-jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
    x-google-audiences: <MY_PROJECT_ID>

 

I also tried swapping out Firebase authentication for another form of JWT, but the issue persists.

What am I doing wrong here? Is there a bug in API Gateway that prevents the use of either JWT or API key? If this is not possible, could you suggest a workaround? Worst case, I could have two versions of the API: one secured by API key and another secured by OAuth2, but I'd really like to avoid that messy duplication.

0 2 1,609
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Bryson
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Ah, I've finally found a couple of resources that partially answer my question. They're related to Cloud Endpoints, but I think the information also applies to API Gateway.

In short, the documentation says "API keys are for projects, authentication is for users." This is still unclear to me, though. If I want to support external developers (with rate limits, quotas, billing, etc.), am I expected to generate a JWT for them, which they would provide in all calls to my API? I was under the impression that API Gateway was meant to provide this kind of infrastructure, but maybe I was mistaken.

Posted on --/--/---- --:-- AM
ndwh
Bronze 1
Bronze 1
In response to Bryson
Reply posted on --/--/---- --:-- AM

Hi Bryson! Did you solve this issue? We also want to support external developers and are running into the same limitations as you. So it would be of great interest to hear if/how you got around it.

0 Likes