4

I have read this page a few times it implies and does not imply that if I enable authentication when deploying a Cloud Run instance I can use Firebase Auth to get through to the service.

I tried passing in a valid Firebase user idToken and did not get through. Was I doing something wrong or is the only way to get through to Cloud Run when Authentication is enabled to use google sign in?

Steps to reproduce:

  1. When deploying to Cloud Run select Yes for authenticated

  2. Generate a firebase auth token using REST call from here

  3. make api call to Cloud run instance using header bellow and ID_TOKEN from step 2 above

Authorization: Bearer ID_TOKEN

abe
  • 4,046
  • 6
  • 29
  • 33
  • Please edit the question to share all relevant code that you're using, both client and server, as well as any configuration. We should be able to see exactly what you're doing and what you're observing at every stage, and be able to reproduce for ourselves. – Doug Stevenson Jan 06 '20 at 07:41
  • @DougStevenson hope that's enough if not let me know – abe Jan 06 '20 at 08:21
  • Is the email address that you authenticate with Firebase is authorized to call Cloud Run endpoint? I mean, this email address have the role run.invoker? – guillaume blaquiere Jan 06 '20 at 08:31
  • @guillaumeblaquiere I did did not specifically add it but the cloud run instance is in the same project. I would assume that all the user in the firebase database in the same project would have access. Is that not correct? – abe Jan 06 '20 at 08:34
  • Are you using a Custom Domain with your Cloud Run app by any chance? I suspect id tokens might not be working there. – ahmet alp balkan Jan 06 '20 at 08:45
  • @AhmetB-Google yes I am using a custom domain. is there a way to make it work on a custom domain or should I stop using a custom domain? – abe Jan 06 '20 at 08:50
  • @AhmetB-Google How GFE can authorize a user if it hasn't the run.invoker role? From Identity Platform, Firebase auth, or any other provider. – guillaume blaquiere Jan 06 '20 at 08:54
  • @guillaumeblaquiere are you saying I need to create an AIM user for every email that sign up on firebase so I can set the run.invoker role – abe Jan 06 '20 at 12:04
  • @abe from my understanding, yes, *for now*. I'm just waiting the answer of Ahmet (Googler who works on Cloud Run). Do you want to authorize all the authenticated user (here with firebase) to reach Cloud Run privately deployed? -> I know how to do this ;-) – guillaume blaquiere Jan 06 '20 at 14:45
  • @guillaumeblaquiere that sounds like what I'm trying to do please share – abe Jan 06 '20 at 14:48
  • I don't work on this feature. However, as far as I know, Identity Tokens do not yet work on custom domains (a known limitation). I also don't know Firebase. I simply suggested trying without custom domain, maybe that's the answer (for now). – ahmet alp balkan Jan 07 '20 at 00:51

1 Answers1

0

According with the comment, the use case is to authorize only the registered, and the authenticated user (with Firebase auth), to use a Cloud Run endpoint deployed privately.

You can't do it directly, you need to use an additional layer. Here I propose to use Cloud Endpoint. I wrote an article on this to set up an authentication with API Key.

You have the principles of Cloud Endpoint there. You simply have to change the security definition from API Key to Firebase auth. You can found documentation here

Note: The authentication methods can evolved the next quarters. Stay tuned

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • I read your post which sort of does what I need via a proxy. The original GCP documentation page implies this is not needed for Firebase Auth users. If it turns out it is needed I will mark this as the right answer but for now I will hold out for a natively supported solution – abe Jan 06 '20 at 16:21
  • Correct, that's why, I expect an answer from @AhmetB-Google on this topic! – guillaume blaquiere Jan 06 '20 at 19:23
  • @abe: may I ask you to describe us how you solved it? I have a similar problem. I have no custom domain for the Cloud Run service. And I also understand from the [documentation](https://cloud.google.com/run/docs/authenticating/end-users) that no Cloud Endpoint proxy should be needed. I tryed to grant the Cloud Run Invoker role to `allAuthenticatedUsers`, but didn't work. – RichArt Jul 16 '20 at 13:11
  • 1
    @RichArt no way to use firebase auth. I had to make a router/proxy which is just a fancy word for code the validates the token in the header before processing the request. – abe Jul 17 '20 at 15:18
  • Yeah, I ended up doing the ID token validation with a [Spring Boot Security filter](https://stackoverflow.com/a/54203112/4151472). I mean, the Cloud Endpoint could be a nice solution but to me it feels more like a vendor lock-in. So, better do it yourself. – RichArt Jul 19 '20 at 01:15
  • [ESP (Extensible Service Proxy) is an open source project](https://github.com/cloudendpoints/esp), but yes, I never tried to install it elsewhere and I don't know if you are locked to GCP or not when you use it. Anyway, when you use it, you simply use an OpenAPI 2.0 to describe your API with a security layer in addition. I think that other Cloud Provider can offer you a good alternative with the same feature. – guillaume blaquiere Jul 19 '20 at 11:49