GCP Endpoints Authentication/Authorization
Context
GCP/EPAM team has finished onboarding of the service. Now all endpoints of the service are open to the world. In our view, it is not secure to provide an access to the information about GCP environment/metrics.
We noticed auth.py
module but it seems like not completed. From security perspective it requires to pay additional attention to security concerns.
Issue
The MR !14 (merged) has some drawbacks, namely there were used username
, password
, secret
properties to manage token validation (look at URI on screenshot above).
For GPC we can't use external system to receive the x-access-token
.
Expected Behavior
All GCP endpoints require access_token
(not id_token
) for user authentication and authorization.
The token should be received from https://oauth2.googleapis.com/token
Google Oauth Endpoint.
On the code level google.oauth
package can be used for the token validation.
Improvement Proposal
Potentially, all user access rights for Audit & Metrics
service can be managed by OSDU Entitlements service
.