How to secure API Gateway via either JWT or API key?

Google Cloud Serverless Applications
1

Hi folks,

I’m configuring API Gateway to expose endpoints that can be used by my Firebase app using OAuth2. I’m trying to think of my app as just one possible client of the API. I plan to support API keys for developers to access the same functionality.

Specifying security based only on API keys or only on Firebase OAuth2 works just fine. But as soon as I specify both, there’s a problem. If I invoke an endpoint without specifying a JWT, the gateway responds with:

{
    "code": 401,
    "message": "Jwt is missing"
}

I think my OpenAPI 2.0 spec conforms to the standard. Here’s the relevant part of my configuration:

security:
  - ApiKey: []
  - Firebase: []

securityDefinitions:
  ApiKey:
    type: apiKey
    name: x-api-key
    in: header
  Firebase:
    authorizationUrl: ""
    type: oauth2
    x-google-issuer: https://securetoken.google.com/<MY_PROJECT_ID>
    x-google-jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
    x-google-audiences: <MY_PROJECT_ID>

I also tried swapping out Firebase authentication for another form of JWT, but the issue persists.

What am I doing wrong here? Is there a bug in API Gateway that prevents the use of either JWT or API key? If this is not possible, could you suggest a workaround? Worst case, I could have two versions of the API: one secured by API key and another secured by OAuth2, but I’d really like to avoid that messy duplication.

2

Ah, I’ve finally found a couple of resources that partially answer my question. They’re related to Cloud Endpoints, but I think the information also applies to API Gateway.

In short, the documentation says “API keys are for projects, authentication is for users.” This is still unclear to me, though. If I want to support external developers (with rate limits, quotas, billing, etc.), am I expected to generate a JWT for them, which they would provide in all calls to my API? I was under the impression that API Gateway was meant to provide this kind of infrastructure, but maybe I was mistaken.

1 Like
3

Hi Bryson! Did you solve this issue? We also want to support external developers and are running into the same limitations as you. So it would be of great interest to hear if/how you got around it.