我想向API添加一个安全定义,以便在谷歌云调度程序中运行它(使用OIDC令牌和服务帐户(。我的openapi.yml看起来像这样
"/common/test":
post:
description: "test"
operationId: "test"
responses:
200:
description: "Success"
400:
description: "Fail"
security:
- service_account: []
securityDefinitions:
service_account:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "xx@example.iam.gserviceaccount.com"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/xx@example.iam.gserviceaccount.com"
但是当我通过云调度程序(使用 OIDC 令牌和服务 account(xx@example.iam.gserviceaccount.com(调用此 API 时它失败了。日志视图显示未经授权的 401。如何修复此错误。
{httpRequest: {status: 401} insertId: "1r9kx9lf2jy71o" jsonPayload: { @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished" jobName: "projects/project-xxx/locations/us-central1/jobs/test" status: "UNAUTHENTICATED" targetType: "HTTP" url: "https://project-xxx.appspot.com/common/test/"} logName: "projects/project-xxx/logs/cloudscheduler.googleapis.com%2Fexecutions" receiveTimestamp: "2020-01-06T06:30:01.000238320Z" resource: { labels: {…} type: "cloud_scheduler_job" }severity: "ERROR" timestamp: "2020-01-06T06:30:01.000238320Z"}
来自Cloud Scheduler的OIDC (openConnectId(令牌与Oauth2授权不兼容。OpenAPI v3 增加了对 OIDC 令牌的支持。