diff --git a/endpoints/getting-started/clients/service_to_service_google_id_token/main.py b/endpoints/getting-started/clients/service_to_service_google_id_token/main.py index 4b07c9feee1..e943200f929 100644 --- a/endpoints/getting-started/clients/service_to_service_google_id_token/main.py +++ b/endpoints/getting-started/clients/service_to_service_google_id_token/main.py @@ -24,9 +24,9 @@ from google.appengine.api import app_identity import webapp2 -DEFAUTL_SERVICE_ACCOUNT = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com" +SERVICE_ACCOUNT_EMAIL = "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com" HOST = "YOUR-SERVER-PROJECT-ID.appspot.com" -TARGET_AUD = "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com" +TARGET_AUD = "https://YOUR-SERVER-PROJECT-ID.appspot.com" def generate_jwt(): @@ -42,11 +42,10 @@ def generate_jwt(): "iat": now, # expires after one hour. "exp": now + 3600, - # iss is the Google App Engine default service account email. - "iss": DEFAUTL_SERVICE_ACCOUNT, - # scope must match 'audience' for google_id_token in the security - # configuration in your swagger spec. - "scope": TARGET_AUD, + # iss is the service account email. + "iss": SERVICE_ACCOUNT_EMAIL, + # target_audience is the URL of the target service. + "target_audience": TARGET_AUD, # aud must be Google token endpoints URL. "aud": "https://www.googleapis.com/oauth2/v4/token" }) diff --git a/endpoints/getting-started/openapi.yaml b/endpoints/getting-started/openapi.yaml index 89225226db9..160ceafc1fd 100644 --- a/endpoints/getting-started/openapi.yaml +++ b/endpoints/getting-started/openapi.yaml @@ -141,8 +141,8 @@ securityDefinitions: authorizationUrl: "" flow: "implicit" type: "oauth2" - x-google-issuer: "accounts.google.com" - x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs" + x-google-issuer: "https://accounts.google.com" + x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs" # Your OAuth2 client's Client ID must be added here. You can add multiple client IDs to accept tokens form multiple clients. x-google-audiences: "YOUR-CLIENT-ID" # This section configures authentication using Firebase Auth.