Getting 401 Unauthorized on Cloud Run when using end-user authentication

1
votes

Following the authentication guide for Cloud Run here, I wanted to make a service only accessible by authenticated users.

I created a base service, called helloworld (yes, no originality here), and applied the following policy:

gcloud run services add-iam-policy-binding helloworld \
    --member="allAuthenticatedUsers" \
    --role="roles/run.invoker"

I then tried to invoke it using the gcloud auth print-identity-token ID Token like this:

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://helloworld-*****.a.run.app

All good, the service responds with bearer tokens coming from a @gmail.com account and a GSuite one using gcloud.

As a next step, I followed the end-user authentication guide here and:

  • created web application credentials in the same project as the Cloud Run service above
  • redeployed the service to absorb the new Client ID configuration
  • created a simple HTML page with that Client ID and Google Sign-In logic (like this one)
  • run a local webserver to serve that page and got a new ID Token
  • attempted to do the same curl with that very token

This time though, the response was a 401 with the following value in the WWW-Authenticate header:

Bearer error="invalid_token" error_description="The access token could not be verified"

This is the response of the https://oauth2.googleapis.com/tokeninfo API:

{
  "iss": "accounts.google.com",
  "azp": "*****************.apps.googleusercontent.com",
  "aud": "*****************.apps.googleusercontent.com",
  "sub": "*******",
  "email": "[email protected]",
  "email_verified": "true",
  "at_hash": "********",
  "name": "********",
  "picture": "********",
  "given_name": "********",
  "family_name": "********",
  "locale": "en",
  "iat": "1581617530",
  "exp": "1581621130",
  "jti": "6a0dd7561c0d95f7c92fc29a885039fe3f23db16",
  "alg": "RS256",
  "kid": "d8efea1f66e87bb36c2ea09d837338bdd810353b",
  "typ": "JWT"
}

and the azp and aud values are the same Client ID that is defined as a Web Application credential in the project.

I also tried to add the specific user to the service like this:

gcloud run services add-iam-policy-binding helloworld \
    --member="user:[email protected]" \
    --role="roles/run.invoker"

Still no luck... What am I doing wrong?

1
authenticationgoogle-cloud-platformgoogle-cloud-run
Hi, could you help confirm: 1) the client_id comes from the same project of the cloud run service? ; 2) the token generated was not expired? ("exp" claim); 3) when you use curl, use: curl -H "Authorization: Bearer <id_token>" <URL>wlhee
Hi @wlhee, yes, I confirm that the Client ID was generated in the same project that's hosting the Cloud Run service; also, the token retrieved using the HTML page was used within minutes with the curl command as you specified it (Authorization: Bearer <token>).Gherynos
can you share your project id and cloud run service name with me?wlhee
Sure, here they are: 363397985288-7a7e83ssimq8t0tvolqaha161u9tdckh.apps.googleusercontent.com https://helloworld-r4v55jcbxa-ew.a.run.app. I also created another project, client ID and service just in case... 788273985948-min8mv0jk4sldbaha096avgv034jr32o.apps.googleusercontent.com https://helloworld-2pr4qhpiyq-ew.a.run.appGherynos
Thanks. I checked both cloud run services, the oauth client IDs were not populated. We did have an issue earlier this week, but we believe it got fixed on Wednesday PST. Did you deploy these two cloud run services after Wednesday?wlhee

1 Answers

0
votes

Thanks to wlhee's input about the issue, I redeployed the service and was able to successfully access it with a token generated using the Client ID from the same project.