How do I handle scope based authorization with Google API Gateway?

I have an express server with the following for authorization…

import bearer from "express-oauth2-jwt-bearer";

// Authorization middleware. When used, the Access Token must
// exist and be verified against the Auth0 JSON Web Key Set.
const checkJwt = bearer.auth({
  audience: "https://....dev/node",
  issuerBaseURL: "https://....dev",
});

const checkScopes = bearer.requiredScopes("access:node");

export {checkJwt, checkScopes};

I am converting it over to an API Gateway like this…

swagger: '2.0'
info:
  title: hw-api Gateway
  description: Sample API Gateway
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    get:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: https://us-central1-....cloudfunctions.net/helloGET
      responses:
        '200':
          description: A successful response
          schema:
            type: string

I see documentation on how to handle Authentication with the gateway but nothing about how to ensure the scopes are correct. How would I confirm the access token has the proper scopes when someone calls the API?

1 Like