I'm using Google Cloud Run for a simple POC web app. My hope was to lean on GCP IAM to handle authentication for the time being, similar to how Identity-Aware Proxy (IAP) can be used in conjunction with App Engine or GKE.
When I gave the Cloud Run Invoker role to a user, I expected authentication to work similar to how IAP does (login redirect auth flow), but I get a 403 error instead. I can curl it setting the Authorization
header though.
Is it required to implement authentication in the app for user-facing web applications? I was hoping to do a quick prototype by relying on IAM. If it is required, what would be the recommended way to implement OAuth2 authentication for a simple prototype? Firebase Authentication?