How to protect my http-triggered GCP Function with oauth/jwt?

Question

With AWS Lambda and API Gateway, I can deploy a function exposed with http.

With Cognito and API Gateway, I can protect the function with oauth2 and a jwt token.

With GCP Function and the http-trigger option, I can deploy a function exposed with http.

Is there a "GCP Cognito alternative" I can used to protect my function with oauth2 and a jwt token ?

I have tried with "Identity Platform". I can obtain a (not jwt) token with : https://accounts.google.com/o/oauth2/v2/auth?client_id=[my client id]&redirect_uri=[my redirect uri]&response_type=token&scope=openid

But this give me a 401 : curl -L -v -XGET --header "Authorization: Bearer [the not jwt token]"https://europe-west2-[my project].cloudfunctions.net/my-hello-function"

Thanks !

I think you are confused about JWTs, OAuth Access Tokens and OAuth Identity Tokens (which are a Signed JWT). Use Identity Tokens and not JWTs and not Access Tokens. Identity Tokens are Google identities signed by a Google certificate. Your example creates an OAuth Access Token and Identity Token. Parse the returned data and extract the Identity Token (id_token). Your example is using the returned OAuth Access Token (which has no identity information). — John Hanley

guillaume blaquiere guillaume blaquiere · Accepted Answer · 2020-06-10T18:26:24

If you want to use Cloud Identity Platform, that is a Google Cloud packaging of Firebase Auth, you can use Cloud Endpoint, which is an API Gateway that accept API Key and firebase auth OAuth2 token.

I wrote an article to explain how to protect your serverless product (Cloud Function, Cloud Run and App Engine) with an API Key. But simply update the security definition with the firebase, and it should work!

How to protect my http-triggered GCP Function with oauth/jwt?

2 Answers