I am working on below use-case.
- Building an eco-system where by APIs can be invoked from one or more providers.
The eco-system providers can be multiple organisations. So I wanted the ability to allow tokens originating from a specific ‘registered providers’ be granted access to invoke the APIs.
The APIs are hosted on Node JS server on GCP Cloud Run.
GCP API Gateway was ideal choice as it supports Open API spec, with security definitions.
I was able to successfully test with two providers viz CloudFlare and Google ID tokens.
Cloudflare Security Definiton
flow: “implicit”
type: “oauth2”
# The value below should be unique
x-google-issuer: “https://.cloudflareaccess.com”
x-google-jwks_uri: “https://.cloudflareaccess.com/cdn-cgi/access/certs”
x-google-audiences: “app-uuid-goes-here”
Google ID Token Security Definiton
flow: “implicit”
type: “oauth2”
# The value below should be unique
x-google-issuer: “accounts.google.com”
x-google-jwks_uri: “https://www.googleapis.com/oauth2/v3/certs”
x-google-audiences: “.apps.googleusercontent.com”
As you can see here, CF and GCP provide certs uri configuration.
I wanted to add Camunda 8 SaaS as another provider, so tested with below configuration. However I am not sure about jwks_uri.
camunda8__id_token:
flow: “implicit”
type: “oauth2”
# The value below should be unique
x-google-issuer: “https://weblogin.cloud.camunda.io/”
x-google-jwks_uri: ???
x-google-audiences: “zeebe.camunda.io”
Has anyone encountered this?