How to verify end user authenticated token (Firebase auth used) to invoke google cloud run endpoint?

1
votes

please help with end user authenticating in cloud run using firebase authentication.

Short description: I submit Authorization: Bearer + idToken header from firebase function with idToken of authenticated with email/password firebase user user1. I submit it to cloud run instance with Cloud Run Invoker role set for this user1. But in cloud run logs I see the following error:

The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating

What am I doing wrong? How can I invoke cloud run endpoint call from firebase function called by authenticated user?

More details:

I have a simple firebase app with email/password firebase authentication. When user1, say test@test.com is authenticated using email/password, I take the Id token using firebase.User.getIdToken() for this user and submit it to the firebase function.

On the firebase function side I extract the user token and submit it to the google cloud run endpoint as Authorization: Bearer + token header:

export const getData = functions.https.onRequest(
  async (req, response) => {
    cors(req, response, async () => {
      getToken(req)
        .then(async (token: any) => {
              const options = {
                url: cloud_run.CLOUD_RUN_ENDPOINT,
                headers: {
                  Authorization: `Bearer ${token}`,
                },
              };
           request.get(options, async function (err, resp) {
             //Processing the result
           });
    //etc

On the google cloud run, I have deployed cloud run endpoint. at the cloud run permission tab I've set the Cloud Run Invoker role for my user1 test@test.com.

But when I execute the firebase function getData described above, I see the following error in the cloud run logs:

2020-10-29 14:30:13.498 MSK GET 401 0 B 0 ms@root+request/1.6.1 node/v10.22.0 linux/4.4.0 Linux/x64 https://<cloud_run.CLOUD_RUN_ENDPOINT> The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating

According to this manual: https://cloud.google.com/run/docs/authenticating/end-users for firebase authentication: https://cloud.google.com/run/docs/authenticating/end-users#cicp-firebase-auth

I need to Implement Identity Platform or Firebase Authentication (done) and manually validate their credentials. How can I manually validate the credentials? What should I do after submitting the bearer authorization token?

1
node.jsfirebaseauthenticationfirebase-authenticationgoogle-cloud-run
You can't use Firebase Auth credentials to authenticate a request to Cloud Run that's protected with Google Cloud IAM. You have to provide an identity that's recognized by IAM, which normally means a service account. If you want to use Firebase Auth, you have to allow anyone to invoke the endpoint, and check the auth credientials with the Firebase Admin SDK in your backend code.Doug Stevenson
@DougStevenson got it... Thank you for the answer!Tyutlaeva Ekaterina

1 Answers

2
votes

To achieve this, you have 2 solutions:

  • Check by yourselves the token in a unauthenticated Cloud Run services. There is a recent and great Google Cloud post on this. Personally I don't like this solution because if there is an attack, it's up to your service to manage this high traffic, and you to pay!
  • Use a proxy. The (old) Cloud Endpoint can achieve this, and I wrote an article on this 1 year ago (with API Keys security definition, but change it with Firebase Auth security definition and use it!). It's quite old because a fresh new service has been release this summer, named API Gateway which is, today, a Cloud Endpoint fully manage by Google (today the features are the same, but API Gateway will evolve; not sure about Cloud Endpoint!)