Autentikasi untuk langganan push

Jika langganan push menggunakan autentikasi, layanan Pub/Sub akan menandatangani JWT dan mengirimkan JWT di header otorisasi permintaan push. JWT mencakup klaim dan tanda tangan.

Pelanggan dapat memvalidasi JWT dan memverifikasi hal berikut:

Klaim tersebut akurat.
Layanan Pub/Sub menandatangani klaim.

Jika pelanggan menggunakan firewall, mereka tidak dapat menerima permintaan push. Untuk menerima permintaan push, Anda harus menonaktifkan firewall dan memverifikasi JWT.

Sebelum memulai

Pelajari langganan.
Pahami cara kerja langganan push.
Buat langganan push.

Format JWT

JWT adalah OpenIDConnect JWT yang terdiri dari header, kumpulan klaim, dan tanda tangan. Layanan Pub/Sub mengenkode JWT sebagai string base64 dengan pembatas titik.

Misalnya, header otorisasi berikut menyertakan JWT yang dienkode:

"Authorization" : "Bearer
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdkNjgwZDhjNzBkNDRlOTQ3MTMzY2JkNDk5ZWJjMWE2MWMzZDVh
YmMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tIiwiYXpwIjoiMTEzNzc0M
jY0NDYzMDM4MzIxOTY0IiwiZW1haWwiOiJnYWUtZ2NwQGFwcHNwb3QuZ3NlcnZpY2VhY2NvdW50LmNvb
SIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE1NTAxODU5MzUsImlhdCI6MTU1MDE4MjMzNSwia
XNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEzNzc0MjY0NDYzMDM4MzIxO
TY0In0.QVjyqpmadTyDZmlX2u3jWd1kJ68YkdwsRZDo-QxSPbxjug4ucLBwAs2QePrcgZ6hhkvdc4UHY
4YF3fz9g7XHULNVIzX5xh02qXEH8dK6PgGndIWcZQzjSYfgO-q-R2oo2hNM5HBBsQN4ARtGK_acG-NGG
WM3CQfahbEjZPAJe_B8M7HfIu_G5jOLZCw2EUcGo8BvEwGcLWB2WqEgRM0-xt5-UPzoa3-FpSPG7DHk7
z9zRUeq6eB__ldb-2o4RciJmjVwHgnYqn3VvlX9oVKEgXpNFhKuYA-mWh5o7BCwhujSMmFoBOh6mbIXF
cyf5UiVqKjpqEbqPGo_AvKvIQ9VTQ"

Header dan kumpulan klaim adalah string JSON. Setelah didekode, bentuknya seperti berikut:

{"alg":"RS256","kid":"7d680d8c70d44e947133cbd499ebc1a61c3d5abc","typ":"JWT"}

{
   "aud":"https://example.com",
   "azp":"113774264463038321964",
   "email":"gae-gcp@appspot.gserviceaccount.com",
   "sub":"113774264463038321964",
   "email_verified":true,
   "exp":1550185935,
   "iat":1550182335,
   "iss":"https://accounts.google.com"
  }

Token yang dilampirkan ke permintaan yang dikirim ke endpoint push mungkin memerlukan waktu hingga satu jam.

Mengonfigurasi Pub/Sub untuk autentikasi push

Contoh berikut menunjukkan cara menetapkan akun layanan push auth ke akun layanan pilihan Anda dan cara memberikan peran iam.serviceAccountTokenCreator kepada akun layanan yang dikelola Google service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com.

Konsol

Buka halaman Pub/Sub Subscriptions.

Buka halaman Subscription
Klik Buat langganan.
Di kolom ID Langganan, masukkan nama.
Pilih topik.
Pilih Push sebagai Jenis pengiriman.
Masukkan URL titik akhir.
Centang Aktifkan autentikasi.
Pilih akun layanan.
Pastikan akun layanan yang dikelola Google service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com memiliki peran iam.serviceAccountTokenCreator di dasbor IAM project Anda. Jika akun layanan belum diberi peran, klik Berikan di dasbor IAM untuk melakukannya.
Opsional: Masukkan audiens.
Klik Create.

gcloud

# Configure the push subscription
gcloud pubsub subscriptions (create|update|modify-push-config) ${SUBSCRIPTION} \
 --topic=${TOPIC} \
 --push-endpoint=${PUSH_ENDPOINT_URI} \
 --push-auth-service-account=${SERVICE_ACCOUNT_EMAIL} \
 --push-auth-token-audience=${OPTIONAL_AUDIENCE_OVERRIDE}

# Your Google-managed service account
# `service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com` needs to have the
# `iam.serviceAccountTokenCreator` role.
PUBSUB_SERVICE_ACCOUNT="service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
 --member="serviceAccount:${PUBSUB_SERVICE_ACCOUNT}"\
 --role='roles/iam.serviceAccountTokenCreator'

Saat mengaktifkan autentikasi untuk langganan push, Anda mungkin mengalami error permission denied atau not authorized. Untuk mengatasi masalah ini, berikan izin iam.serviceAccounts.actAs kepada akun utama yang memulai pembuatan atau pembaruan langganan di akun layanan. Untuk mengetahui informasi selengkapnya, lihat Autentikasi di bagian "Membuat langganan push".

Jika Anda menggunakan langganan push terautentikasi dengan aplikasi App Engine yang dilindungi dengan Identity-Aware Proxy, Anda harus memberikan Client ID IAP sebagai audiens token autentikasi push. Untuk mengaktifkan IAP pada aplikasi App Engine, lihat Mengaktifkan IAP. Untuk menemukan client ID IAP, cari Client ID IAP-App-Engine-app di halaman Credentials.

Klaim

JWT dapat digunakan untuk memvalidasi bahwa klaim, termasuk klaim email dan aud, ditandatangani oleh Google. Untuk informasi selengkapnya tentang cara penggunaan OAuth 2.0 API Google untuk autentikasi dan otorisasi, lihat OpenID Connect.

Ada dua mekanisme yang membuat klaim ini bermakna. Pertama, Pub/Sub mengharuskan pengguna atau akun layanan melakukan panggilan CreateSubscription, UpdateSubscription, atauModifyPushConfig agar memiliki peran dengan izin iam.serviceAccounts.actAs di akun layanan push auth. Contoh peran ini adalah peran roles/iam.serviceAccountUser.

Kedua, akses ke sertifikat yang digunakan untuk menandatangani token dikontrol secara ketat. Untuk membuat token, Pub/Sub harus memanggil layanan Google internal menggunakan identitas akun layanan penandatanganan terpisah, yang merupakan akun layanan yang dikelola Google service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com. Akun layanan penandatanganan ini harus memiliki izin iam.serviceAccounts.getOpenIdToken atau peran Service Account Token Creator (roles/iam.serviceAccountTokenCreator) di akun layanan push auth (atau di resource ancestor mana pun, seperti project, dari akun layanan push auth).

Memvalidasi token

Memvalidasi token yang dikirim oleh Pub/Sub ke endpoint push melibatkan:

Memeriksa integritas token menggunakan validasi tanda tangan.
Memastikan bahwa klaim email dan audience dalam token cocok dengan nilai yang ditetapkan dalam konfigurasi langganan push.

Contoh berikut menggambarkan cara mengautentikasi permintaan push ke aplikasi App Engine yang tidak diamankan dengan Identity-Aware Proxy. Jika aplikasi App Engine Anda diamankan dengan IAP, header permintaan HTTP yang berisi JWT IAP adalah x-goog-iap-jwt-assertion dan harus divalidasi sebagaimana mestinya.

protokol

Permintaan:

GET https://oauth2.googleapis.com/tokeninfo?id_token={BEARER_TOKEN}

Respons:

200 OK

{
    "alg": "RS256",
    "aud": "example.com",
    "azp": "104176025330667568672",
    "email": "{SERVICE_ACCOUNT_NAME}@{YOUR_PROJECT_NAME}.iam.gserviceaccount.com",
    "email_verified": "true",
    "exp": "1555463097",
    "iat": "1555459497",
    "iss": "https://accounts.google.com",
    "kid": "3782d3f0bc89008d9d2c01730f765cfb19d3b70e",
    "sub": "104176025330667568672",
    "typ": "JWT"
}

C#

Sebelum mencoba contoh ini, ikuti petunjuk penyiapan C# di Panduan Memulai: Menggunakan Library Klien. Untuk informasi selengkapnya, lihat dokumentasi referensi Pub/Sub C# API.

        /// <summary>
        /// Extended JWT payload to match the pubsub payload format.
        /// </summary>
        public class PubSubPayload : JsonWebSignature.Payload
        {
            [JsonProperty("email")]
            public string Email { get; set; }
            [JsonProperty("email_verified")]
            public string EmailVerified { get; set; }
        }
        /// <summary>
        /// Handle authenticated push request coming from pubsub.
        /// </summary>
        [HttpPost]
        [Route("/AuthPush")]
        public async Task<IActionResult> AuthPushAsync([FromBody] PushBody body, [FromQuery] string token)
        {
            // Get the Cloud Pub/Sub-generated "Authorization" header.
            string authorizaionHeader = HttpContext.Request.Headers["Authorization"];
            string verificationToken = token ?? body.message.attributes["token"];
            // JWT token comes in `Bearer <JWT>` format substring 7 specifies the position of first JWT char.
            string authToken = authorizaionHeader.StartsWith("Bearer ") ? authorizaionHeader.Substring(7) : null;
            if (verificationToken != _options.VerificationToken || authToken is null)
            {
                return new BadRequestResult();
            }
            // Verify and decode the JWT.
            // Note: For high volume push requests, it would save some network
            // overhead if you verify the tokens offline by decoding them using
            // Google's Public Cert; caching already seen tokens works best when
            // a large volume of messages have prompted a single push server to
            // handle them, in which case they would all share the same token for
            // a limited time window.
            var payload = await JsonWebSignature.VerifySignedTokenAsync<PubSubPayload>(authToken);

            // IMPORTANT: you should validate payload details not covered
            // by signature and audience verification above, including:
            //   - Ensure that `payload.Email` is equal to the expected service
            //     account set up in the push subscription settings.
            //   - Ensure that `payload.Email_verified` is set to true.

            var messageBytes = Convert.FromBase64String(body.message.data);
            string message = System.Text.Encoding.UTF8.GetString(messageBytes);
            s_authenticatedMessages.Add(message);
            return new OkResult();
        }

Go

// receiveMessagesHandler validates authentication token and caches the Pub/Sub
// message received.
func (a *app) receiveMessagesHandler(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
		return
	}

	// Verify that the request originates from the application.
	// a.pubsubVerificationToken = os.Getenv("PUBSUB_VERIFICATION_TOKEN")
	if token, ok := r.URL.Query()["token"]; !ok || len(token) != 1 || token[0] != a.pubsubVerificationToken {
		http.Error(w, "Bad token", http.StatusBadRequest)
		return
	}

	// Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
	authHeader := r.Header.Get("Authorization")
	if authHeader == "" || len(strings.Split(authHeader, " ")) != 2 {
		http.Error(w, "Missing Authorization header", http.StatusBadRequest)
		return
	}
	token := strings.Split(authHeader, " ")[1]
	// Verify and decode the JWT.
	// If you don't need to control the HTTP client used you can use the
	// convenience method idtoken.Validate instead of creating a Validator.
	v, err := idtoken.NewValidator(r.Context(), option.WithHTTPClient(a.defaultHTTPClient))
	if err != nil {
		http.Error(w, "Unable to create Validator", http.StatusBadRequest)
		return
	}
	// Please change http://example.com to match with the value you are
	// providing while creating the subscription.
	payload, err := v.Validate(r.Context(), token, "http://example.com")
	if err != nil {
		http.Error(w, fmt.Sprintf("Invalid Token: %v", err), http.StatusBadRequest)
		return
	}
	if payload.Issuer != "accounts.google.com" && payload.Issuer != "https://accounts.google.com" {
		http.Error(w, "Wrong Issuer", http.StatusBadRequest)
		return
	}

	// IMPORTANT: you should validate claim details not covered by signature
	// and audience verification above, including:
	//   - Ensure that `payload.Claims["email"]` is equal to the expected service
	//     account set up in the push subscription settings.
	//   - Ensure that `payload.Claims["email_verified"]` is set to true.
	if payload.Claims["email"] != "test-service-account-email@example.com" || payload.Claims["email_verified"] != true {
		http.Error(w, "Unexpected email identity", http.StatusBadRequest)
		return
	}

	var pr pushRequest
	if err := json.NewDecoder(r.Body).Decode(&pr); err != nil {
		http.Error(w, fmt.Sprintf("Could not decode body: %v", err), http.StatusBadRequest)
		return
	}

	a.messagesMu.Lock()
	defer a.messagesMu.Unlock()
	// Limit to ten.
	a.messages = append(a.messages, pr.Message.Data)
	if len(a.messages) > maxMessages {
		a.messages = a.messages[len(a.messages)-maxMessages:]
	}

	fmt.Fprint(w, "OK")
}

Java

@WebServlet(value = "/pubsub/authenticated-push")
public class PubSubAuthenticatedPush extends HttpServlet {
  private final String pubsubVerificationToken = System.getenv("PUBSUB_VERIFICATION_TOKEN");
  private final MessageRepository messageRepository;
  private final GoogleIdTokenVerifier verifier =
      new GoogleIdTokenVerifier.Builder(new NetHttpTransport(), new GsonFactory())
          /**
           * Please change example.com to match with value you are providing while creating
           * subscription as provided in @see <a
           * href="https://github.com/GoogleCloudPlatform/java-docs-samples/tree/main/appengine-java8/pubsub">README</a>.
           */
          .setAudience(Collections.singletonList("example.com"))
          .build();
  private final Gson gson = new Gson();

  @Override
  public void doPost(HttpServletRequest req, HttpServletResponse resp)
      throws IOException, ServletException {

    // Verify that the request originates from the application.
    if (req.getParameter("token").compareTo(pubsubVerificationToken) != 0) {
      resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
      return;
    }
    // Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
    String authorizationHeader = req.getHeader("Authorization");
    if (authorizationHeader == null
        || authorizationHeader.isEmpty()
        || authorizationHeader.split(" ").length != 2) {
      resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
      return;
    }
    String authorization = authorizationHeader.split(" ")[1];

    try {
      // Verify and decode the JWT.
      // Note: For high volume push requests, it would save some network overhead
      // if you verify the tokens offline by decoding them using Google's Public
      // Cert; caching already seen tokens works best when a large volume of
      // messsages have prompted a single push server to handle them, in which
      // case they would all share the same token for a limited time window.
      GoogleIdToken idToken = verifier.verify(authorization);

      GoogleIdToken.Payload payload = idToken.getPayload();
      // IMPORTANT: you should validate claim details not covered by signature
      // and audience verification above, including:
      //   - Ensure that `payload.getEmail()` is equal to the expected service
      //     account set up in the push subscription settings.
      //   - Ensure that `payload.getEmailVerified()` is set to true.

      messageRepository.saveToken(authorization);
      messageRepository.saveClaim(payload.toPrettyString());
      // parse message object from "message" field in the request body json
      // decode message data from base64
      Message message = getMessage(req);
      messageRepository.save(message);
      // 200, 201, 204, 102 status codes are interpreted as success by the Pub/Sub system
      resp.setStatus(102);
      super.doPost(req, resp);
    } catch (Exception e) {
      resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
    }
  }

  private Message getMessage(HttpServletRequest request) throws IOException {
    String requestBody = request.getReader().lines().collect(Collectors.joining("\n"));
    JsonElement jsonRoot = JsonParser.parseString(requestBody).getAsJsonObject();
    String messageStr = jsonRoot.getAsJsonObject().get("message").toString();
    Message message = gson.fromJson(messageStr, Message.class);
    // decode from base64
    String decoded = decode(message.getData());
    message.setData(decoded);
    return message;
  }

  private String decode(String data) {
    return new String(Base64.getDecoder().decode(data));
  }

  PubSubAuthenticatedPush(MessageRepository messageRepository) {
    this.messageRepository = messageRepository;
  }

  public PubSubAuthenticatedPush() {
    this(MessageRepositoryImpl.getInstance());
  }
}

Node.js

app.post('/pubsub/authenticated-push', jsonBodyParser, async (req, res) => {
  // Verify that the request originates from the application.
  if (req.query.token !== PUBSUB_VERIFICATION_TOKEN) {
    res.status(400).send('Invalid request');
    return;
  }

  // Verify that the push request originates from Cloud Pub/Sub.
  try {
    // Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
    const bearer = req.header('Authorization');
    const [, token] = bearer.match(/Bearer (.*)/);
    tokens.push(token);

    // Verify and decode the JWT.
    // Note: For high volume push requests, it would save some network
    // overhead if you verify the tokens offline by decoding them using
    // Google's Public Cert; caching already seen tokens works best when
    // a large volume of messages have prompted a single push server to
    // handle them, in which case they would all share the same token for
    // a limited time window.
    const ticket = await authClient.verifyIdToken({
      idToken: token,
      audience: 'example.com',
    });

    const claim = ticket.getPayload();

    // IMPORTANT: you should validate claim details not covered
    // by signature and audience verification above, including:
    //   - Ensure that `claim.email` is equal to the expected service
    //     account set up in the push subscription settings.
    //   - Ensure that `claim.email_verified` is set to true.

    claims.push(claim);
  } catch (e) {
    res.status(400).send('Invalid token');
    return;
  }

  // The message is a unicode string encoded in base64.
  const message = Buffer.from(req.body.message.data, 'base64').toString(
    'utf-8'
  );

  messages.push(message);

  res.status(200).send();
});

Python

@app.route("/push-handlers/receive_messages", methods=["POST"])
def receive_messages_handler():
    # Verify that the request originates from the application.
    if request.args.get("token", "") != current_app.config["PUBSUB_VERIFICATION_TOKEN"]:
        return "Invalid request", 400

    # Verify that the push request originates from Cloud Pub/Sub.
    try:
        # Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
        bearer_token = request.headers.get("Authorization")
        token = bearer_token.split(" ")[1]
        TOKENS.append(token)

        # Verify and decode the JWT. `verify_oauth2_token` verifies
        # the JWT signature, the `aud` claim, and the `exp` claim.
        # Note: For high volume push requests, it would save some network
        # overhead if you verify the tokens offline by downloading Google's
        # Public Cert and decode them using the `google.auth.jwt` module;
        # caching already seen tokens works best when a large volume of
        # messages have prompted a single push server to handle them, in which
        # case they would all share the same token for a limited time window.
        claim = id_token.verify_oauth2_token(
            token, requests.Request(), audience="example.com"
        )

        # IMPORTANT: you should validate claim details not covered by signature
        # and audience verification above, including:
        #   - Ensure that `claim["email"]` is equal to the expected service
        #     account set up in the push subscription settings.
        #   - Ensure that `claim["email_verified"]` is set to true.

        CLAIMS.append(claim)
    except Exception as e:
        return f"Invalid token: {e}\n", 400

    envelope = json.loads(request.data.decode("utf-8"))
    payload = base64.b64decode(envelope["message"]["data"])
    MESSAGES.append(payload)
    # Returning any 2xx status indicates successful receipt of the message.
    return "OK", 200

Ruby

post "/pubsub/authenticated-push" do
  halt 400 if params[:token] != PUBSUB_VERIFICATION_TOKEN

  begin
    bearer = request.env["HTTP_AUTHORIZATION"]
    token = /Bearer (.*)/.match(bearer)[1]
    claim = Google::Auth::IDTokens.verify_oidc token, aud: "example.com"

    # IMPORTANT: you should validate claim details not covered by signature
    # and audience verification above, including:
    #   - Ensure that `claim["email"]` is equal to the expected service
    #     account set up in the push subscription settings.
    #   - Ensure that `claim["email_verified"]` is set to true.

    claims.push claim
  rescue Google::Auth::IDTokens::VerificationError => e
    puts "VerificationError: #{e.message}"
    halt 400, "Invalid token"
  end

  message = JSON.parse request.body.read
  payload = Base64.decode64 message["message"]["data"]

  messages.push payload
end

Untuk mengetahui informasi tentang variabel lingkungan PUBSUB_VERIFICATION_TOKEN yang digunakan dalam contoh kode di atas, lihat Menulis dan merespons pesan Pub/Sub.

Temukan contoh tambahan tentang cara memvalidasi JWT pemilik di artikel Panduan Login dengan Google untuk Situs ini. Ringkasan token OpenID yang lebih luas tersedia di Panduan OpenID Connect, termasuk daftar library klien yang membantu memvalidasi JWT.

Autentikasi dari layanan Google Cloud lainnya

Cloud Run, App Engine, dan Cloud Functions mengautentikasi panggilan HTTP dari Pub/Sub dengan memverifikasi token yang dihasilkan Pub/Sub. Satu-satunya konfigurasi yang Anda butuhkan adalah memberikan peran IAM yang diperlukan ke akun pemanggil.

Lihat panduan dan tutorial berikut untuk berbagai kasus penggunaan layanan ini:

Cloud Run

Pemicuan dari Pub/Sub push: Akun layanan push auth Anda harus memiliki peran roles/run.invoker dan terikat dengan layanan Cloud Run untuk memanggil layanan Cloud Run yang sesuai
Tutorial menggunakan Pub/Sub dengan Cloud Run

App Engine

Menulis dan Merespons Pesan Pub/Sub

Cloud Functions

Pemicu HTTP: Akun layanan push auth Anda harus memiliki peran roles/cloudfunctions.invoker untuk memanggil fungsi jika Anda ingin menggunakan permintaan push Pub/Sub sebagai pemicu HTTP ke fungsi tersebut
Pemicu Google Cloud Pub/Sub: Peran dan izin IAM dikonfigurasi secara otomatis jika Anda menggunakan pemicu Pub/Sub untuk memanggil fungsi

Catatan: Dalam runtime App Engine generasi pertama, permintaan kirim ke URL endpoint dengan format /_ah/push-handlers/.* dalam project yang sama diizinkan sebagai pengguna admin. Mekanisme ACL ini tidak lagi didukung pada runtime App Engine generasi kedua. Pada runtime App Engine generasi kedua, berikan peran IAM untuk admin ke akun layanan push auth yang dikonfigurasi dengan langganan push Anda. Untuk mengetahui detail selengkapnya, buka Mengautentikasi Pengguna dan Memahami Kontrol Akses.