Google Cloud Run OAuth2 Authentication with PKCE

0
votes

I need to authenticate a service account (with container invoke role) in Cloud Run with PKCE. Basically my iOS app sends HTTPS requests to invoke certain Cloud Run Container (with Django Rest Framework).

I found this example (which authenticates to the Cloud Run endpoint via self-signed JWT in exchange for token). This is exactly what I need, but I want to add PKCE. I'm confused as to where do I send code_verifier and code_challenge? If I do the verification in my container, how would that link to Cloud Run authorization.

2
google-cloud-platformgoogle-cloud-run
You want to connect directly your iOS app to Cloud Run? If so, do you want to use user authentication for doing this? If so, do your users have a google account?guillaume blaquiere
I don't want to use user authentication. I just want to make sure the request is sent only from iOS app. I have created only one service account with 'invoke' permissions, I need to securely authenticate that account form iOS app.user10007342

2 Answers

1
votes

Google OAuth does not implement PKCE.

PKCE is part of the Authorization Code Flow. Service accounts do not use this Flow.

Authorization Code Flow is not part of Google service account authorization, as both sides are considered trusted. A mobile device is not a trusted device, therefore do NOT store service accounts on mobile devices.

0
votes

The (bad) solution is to generate a service account key file and to embed it in your iOS app; But, as mentioned by John, if you do this, you lost the control of your key because your mobile isn't safe. Instead of doing this, make your service public!!

The good pattern is to not let your user directly call your private and secure service, but to have a public gateway that perform the user security check. Thereby, you will use the OAuth flow of your user to authenticate it on a backend, and this backend will be able to call your service, with the right service account.

You can do it by yourself, but the good alternative is to use an API Gateway, like Cloud Endpoint on GCP. You can plug firebase authentication on it. Your overhead is minimal, and your security improved! I wrote and article in relation with this (it's about API Keys, but replace the API Key security definition by the firebase auth security definition, and enjoy!)