对需要身份验证的云运行服务的 Ajax 请求

问题描述

我遇到了与谷歌云有关的 CORS 相关问题，该服务运行在
需要身份验证.

I'm having a CORS related issue with google cloud run on a service that
requires authentication.

如果我尝试通过 cli 使用 Bearer 令牌执行 curl 命令，
一切正常.不幸的是，如果我尝试在 javascript 中通过 ajax 执行相同的调用，
我收到了 403.

If I try to execute a curl command through the cli, with a Bearer token,
everything works fine. Unfortunately if I try to execute the same call through ajax in javascript,
I receive a 403.

  const http = new XMLHttpRequest();
  const url = 'https://my-app.run.app';

  http.open("GET", url);
  http.withCredentials = true;
  http.setRequestHeader("authorization", 'Bearer ' + id_token);
  http.send();
  http.onreadystatechange = (e) => {
    console.log(http.responseText)
  }

云运行日志中的错误是这样的:

The error in the cloud run logs is this :

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating

容器永远不会被击中.

我看到的问题是，当我在网络中使用 ajax 进行调用时
浏览器.网络浏览器正在发出飞行前请求(
url )而不发送授权标头(这是预期的
行为)

The issue I'm seeing is that, as I'm making the call using ajax, in a web
browser. The web browser is making a pre flight request ( OPTIONS on the
url ) without sending the Authorization header ( which is an expected
behavior )

问题似乎是云运行尝试验证 OPTIONS
请求并且永远不会到达我的容器，据我所知，
不应该这样做.(
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

The problem seems to be that cloud run tries to authenticate the OPTIONS
request and never makes it to my container, which, as far as I understand,
shouldn't be done. (
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 )

这是云运行的已知问题吗?

Is that a known issue with cloud run ?

如何向经过身份验证的云运行服务发出 ajax 请求?

How could I make an ajax request to an authenticated cloud run service ?

推荐答案

(Cloud Run PM)

(Cloud Run PM)

这是一个已知问题.有几个选项:

This is a known issue. There are a few options:

1. 允许未经身份验证的请求并自行执行 CORS/身份验证

1. Allow unauthenticated requests and do CORS/auth yourself

1. 使用 Cloud Endpoints 在Cloud Run 在您的计算机前运行.让 Endpoints 对您的最终用户进行身份验证，然后将请求转发到您的后端.

1. There is a variation of this that uses Cloud Endpoints running on Cloud Run in front of your compute. Have Endpoints do your end-user auth, then forward the request to your backend.

我们已经考虑实施 Istio CORSPolicy，它将在身份验证检查之前返回 CORS 标头，尽管我们目前还没有承诺.

We've considered implementing Istio CORSPolicy, which would return CORS headers before the auth check, though we're not committed to this as of now.

这篇关于对需要身份验证的云运行服务的 Ajax 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！