对需要身份验证的云运行服务的 Ajax 请求

2022-01-15 00:00:00 cors google-cloud-run ajax

我遇到了与谷歌云有关的 CORS 相关问题,该服务运行在
需要身份验证.

I'm having a CORS related issue with google cloud run on a service that
requires authentication.

如果我尝试通过 cli 使用 Bearer 令牌执行 curl 命令,
一切正常.不幸的是,如果我尝试在 javascript 中通过 ajax 执行相同的调用,
我收到了 403.

If I try to execute a curl command through the cli, with a Bearer token,
everything works fine. Unfortunately if I try to execute the same call through ajax in javascript,
I receive a 403.

  const http = new XMLHttpRequest();
  const url = 'https://my-app.run.app';

  http.open("GET", url);
  http.withCredentials = true;
  http.setRequestHeader("authorization", 'Bearer ' + id_token);
  http.send();
  http.onreadystatechange = (e) => {
    console.log(http.responseText)
  }

云运行日志中的错误是这样的:

The error in the cloud run logs is this :

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating

容器永远不会被击中.

我看到的问题是,当我在网络中使用 ajax 进行调用时
浏览器.网络浏览器正在发出飞行前请求(
url )而不发送授权标头(这是预期的
行为)

The issue I'm seeing is that, as I'm making the call using ajax, in a web
browser. The web browser is making a pre flight request ( OPTIONS on the
url ) without sending the Authorization header ( which is an expected
behavior )

问题似乎是云运行尝试验证 OPTIONS
请求并且永远不会到达我的容器,据我所知,
不应该这样做.(
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

The problem seems to be that cloud run tries to authenticate the OPTIONS
request and never makes it to my container, which, as far as I understand,
shouldn't be done. (
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

这是云运行的已知问题吗?

Is that a known issue with cloud run ?

如何向经过身份验证的云运行服务发出 ajax 请求?

How could I make an ajax request to an authenticated cloud run service ?

推荐答案

(Cloud Run PM)

(Cloud Run PM)

这是一个已知问题.有几个选项:

This is a known issue. There are a few options:

  1. 允许未经身份验证的请求并自行执行 CORS/身份验证
  1. Allow unauthenticated requests and do CORS/auth yourself
  1. 使用 Cloud Endpoints 在Cloud Run 在您的计算机前运行.让 Endpoints 对您的最终用户进行身份验证,然后将请求转发到您的后端.
  1. There is a variation of this that uses Cloud Endpoints running on Cloud Run in front of your compute. Have Endpoints do your end-user auth, then forward the request to your backend.

  • 从同一域提供服务(例如,使用 Firebase 托管代理)
  • 我们已经考虑实施 Istio CORSPolicy,它将在身份验证检查之前返回 CORS 标头,尽管我们目前还没有承诺.

    We've considered implementing Istio CORSPolicy, which would return CORS headers before the auth check, though we're not committed to this as of now.

    相关文章