0

I'm following this: https://developer.chrome.com/apps/tut_oauth

But it doesn't work. When I invoke Cloud Function, I get 401 error. The Authorization: Bearer "access-token" is added in the request header. Although another question here[1] states that ID_TOKEN should be used. Which I tried via curl but have the same 401 error.

chrome.identity.getAuthToken({interactive: true}, function(token) {
        var dat = {
"user_email":email_id,
"user_id":user_id
};
     $.ajax({
        type: "POST",
        data:dat,
         dataType: 'json',
   url:str,
    contentType: "application/json",
         error: function (xhr, status, error) {
        console.log(xhr)
    }, success: function (data, status, xhr) {
        console.log('Success!' +data + status);
    },
      headers:{  
      'x-goog-project-id': 'xxxxxxxxxxxxx',
   'Authorization': 'Bearer ' + token,
   'Content-Type':'application/json',
   'Accept': 'application/json'
  }
    });
     });

[1] Why doesn't granting 'allAuthenticatedUsers' member the 'Cloud Functions Invoker' role work for google cloud functions?

Robert Paul Baquing
  • 1
  • 1

2 Answers2

0

The tutorial that you mentioned used "access-token" to accesses a user's Google contacts using the Google People API and the Chrome Identity API.

If you want to access a Google Cloud Function which does not Allow unauthenticated invocations you have to use an ID_TOKEN.

For testing you can create a service account with --role="roles/cloudfunctions.invoker", then create a key.json file and export the GOOGLE_APPLICATION_CREDENTIALS env variable link

Finaly you can use:

curl "https://us-central1-your-project.cloudfunctions.net/yourfunction"
# Error 403 (Forbidden)
curl "https://us-central1-your-project.cloudfunctions.net/yourfunction"   -H "Authorization: bearer $(gcloud auth print-identity-token)"
#Success
marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • Thanks for the clarification. However, how can I use the service account in a chrome extension app (Javascript)? – Robert Paul Baquing Mar 18 '20 at 10:13
  • I would suggest to follow this tutorial [Building A ‘Serverless’ Chrome Extension](https://towardsdatascience.com/building-a-serverless-chrome-extension-f684740e1ffc) and then to read about [OpenID Connect](https://developers.google.com/identity/protocols/oauth2/openid-connect) – marian.vladoi Mar 18 '20 at 10:36
  • I checked the tutorial however it doesn’t cover the authentication part between chrome extension and service account. I also checked already the OpenID connect documentation, however none of those applies to chrome extension as it is not consider as web app.. – Robert Paul Baquing Mar 18 '20 at 14:13
  • It seems that is not an easy task, here is a discussion about it [Get ID Token from Access Token within a Chrome Extension](https://github.com/google/google-api-javascript-client/issues/508) – marian.vladoi Mar 18 '20 at 16:15
0

I gave up on this as there is no direct solution to invoke Cloud function using oauth in Chrome Apps. The alternative solution that worked is to authenticate via API key. That is using Cloud Function with Cloud Endpoints.

I followed the logic here: https://medium.com/@akash.mahale/triggering-google-cloud-functions-with-cloud-endpoints-and-api-key-857e94a8a3aa

But just need to take note that rotation of API keys should be done regularly and automatically..

Robert Paul Baquing
  • 1
  • 1
  • This is not ideal, but there is a solution if your extension call a Google Apps Script project (deployed as webapp) which accept access_token, bound with a GCP project, you can generate id_token and finally call the Cloud Function... But I'm not sure it fit your situation – Waxim Corp Jan 10 '23 at 17:12