Endpoints Auth Between Services

endpoints/getting-started/clients/pom.xml

@@ -0,0 +1,62 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.example</groupId>
+  <artifactId>example</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>jar</packaging>
+
+
+  <!--
+    The parent pom defines common style checks and testing strategies for our samples.
+    Removing or replacing it should not affect the execution of the samples in anyway.
+  -->
+  <parent>
+    <groupId>com.google.cloud.samples</groupId>
+    <artifactId>shared-configuration</artifactId>
+    <version>1.0.10</version>
+  </parent>
+
+
+  <properties>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.api-client</groupId>
+      <artifactId>google-api-client</artifactId>
+      <version>1.28.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>3.7.0</version>
+    </dependency>
+  </dependencies>
+  <build>
+        <sourceDirectory>src</sourceDirectory>
+        <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.3</version>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>exec-maven-plugin</artifactId>
+                <version>1.2.1</version>
+                <configuration>
+                    <mainClass>com.example.app.GoogleJwtClient</mainClass>
+                </configuration>
+            </plugin>
+        </plugins>
+
+    </build>
+
+</project>

endpoints/getting-started/clients/src/main/java/com/example/app/GoogleJwtClient.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example.app;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTCreator;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+
+import java.io.BufferedReader;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
+import java.net.ProtocolException;
+import java.net.URL;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Date;
+import java.util.concurrent.TimeUnit;
+
+
+
+/**
+ * JWTClient shows how a client can authenticate with a Cloud Endpoints service
+ */
+public class GoogleJwtClient {
+
+  // [START endpoints_generate_jwt_sa]
+  /**
+   * Generates a signed JSON Web Token using a Google API Service Account
+   * utilizes com.auth0.jwt.
+   */
+  public static String generateJwt(final String saKeyfile, final String saEmail,
+      final String audience, final int expiryLength)
+      throws FileNotFoundException, IOException {
+
+    Date now = new Date();
+    Date expTime = new Date(System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(expiryLength));
+
+    // Build the JWT payload
+    JWTCreator.Builder token = JWT.create()
+        .withIssuedAt(now)
+        // Expires after 'expiraryLength' seconds
+        .withExpiresAt(expTime)
+        // Must match 'issuer' in the security configuration in your
+        // swagger spec (e.g. service account email)
+        .withIssuer(saEmail)
+        // Must be either your Endpoints service name, or match the value
+        // specified as the 'x-google-audience' in the OpenAPI document
+        .withAudience(audience)
+        // Subject and email should match the service account's email
+        .withSubject(saEmail)
+        .withClaim("email", saEmail);
+
+    // Sign the JWT with a service account
+    FileInputStream stream = new FileInputStream(saKeyfile);
+    GoogleCredential cred = GoogleCredential.fromStream(stream);
+    RSAPrivateKey key = (RSAPrivateKey) cred.getServiceAccountPrivateKey();
+    Algorithm algorithm = Algorithm.RSA256(null, key);
+    return token.sign(algorithm);
+  }
+  // [END endpoints_generate_jwt_sa]
+
+
+  // [START endpoints_jwt_request]
+  /**
+   * Makes an authorized request to the endpoint.
+   */
+  public static String makeJwtRequest(final String singedJwt, final URL url)
+      throws IOException, ProtocolException {
+
+    HttpURLConnection con = (HttpURLConnection) url.openConnection();
+    con.setRequestMethod("GET");
+    con.setRequestProperty("Content-Type", "application/json");
+    con.setRequestProperty("Authorization", "Bearer " + singedJwt);
+
+    InputStreamReader reader = new InputStreamReader(con.getInputStream());
+    BufferedReader buffReader = new BufferedReader(reader);
+
+    String line;
+    StringBuilder result = new StringBuilder();
+    while ((line = buffReader.readLine()) != null) {
+      result.append(line);
+    }
+    buffReader.close();
+    return result.toString();
+  }
+  // [END endpoints_jwt_request]
+}

endpoints/getting-started/src/main/java/com/example/endpoints/AuthInfoServlet.java

@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+// [START endpoints_auth_info_backend]
 /**
  * A servlet that returns authentication information.
  * See openapi.yaml for authentication mechanisms (e.g. JWT tokens, Google ID token).
@@ -57,3 +58,4 @@ public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOExc
     }
   }
 }
+// [END endpoints_auth_info_backend]