Google Identity Platform authentication inside Cloud Functions

Question

Although similar to Google cloud functions http authentication, my question is more specific towards Google Identity Platform (https://cloud.google.com/identity-platform).

I am new to GCP. I have created a username/password provider in Identity Platform. I created a sample flask app client and used FireBaseUI to perform basic user login. I am able to get the accessToken in the client.

Then I created a Cloud Function (select unauthenticated as per the above thread). Then passed the accessToken in "Authorization: Bearer" header. I am able to access the token inside the Cloud Function.

But the next part I am unable to figure out is how do I validate that token against Identity Platform and get the user details?

Does this answer your question? [How to protect firebase Cloud Function HTTP endpoint using authenticated id token and database rules?](https://stackoverflow.com/questions/48575730/how-to-protect-firebase-cloud-function-http-endpoint-using-authenticated-id-toke) — Kolban, Jul 05 '20 at 15:33

score 3 · Accepted Answer · edited Jul 06 '20 at 02:54

3

To verify a token, you will want to retrieve the value of the passed in "Authorization" HTTP header. This will be a string that starts with "Bearer ". The remainder is a JWT token that can be passed to verifyIdToken() and you will be returned a decoded token that has been verified. From that data you will be able to use the properties within (eg. "email").

See:

Verify ID tokens using the Firebase Admin SDK

from flask import abort
import firebase_admin
from firebase_admin import auth

default_app = firebase_admin.initialize_app()

def test_firebase_auth(request):
    authorization = request.headers.get('Authorization')
    id_token = None
    if authorization and authorization.startswith('Bearer '):
        id_token = authorization.split('Bearer ')[1]
    else:
        abort(401)

    try:
        decoded_token = auth.verify_id_token(id_token)
        return str(decoded_token)
        uid = decoded_token['uid']
        # log.info(decoded_token)
        return uid
    except Exception as e: # ValueError or auth.AuthError
        return str(e)
        abort(401)

edited Jul 06 '20 at 02:54

MavWolverine

846
1
9
24

answered Jul 05 '20 at 03:39

Kolban

13,794
3
38
60

Hi @Kolban Sorry forgot to mention it, I have been through that link, but somehow I am finding GCP documentation very hard to to follow. (AWS was very straight forward). How do I add the firebase admin sdk to the Cloud Function? Where do I get the auth variable from? `decoded_token = auth.verify_id_token(id_token)` – MavWolverine Jul 05 '20 at 04:06
This might be a good reference: https://stackoverflow.com/questions/48575730/how-to-protect-firebase-cloud-function-http-endpoint-using-authenticated-id-toke – Kolban Jul 05 '20 at 15:34
thank you for the pointers. I was able to come up with a Python solution. I updated your answer with the solution and marked it accepted as a thank you. – MavWolverine Jul 06 '20 at 00:07
This too helped https://code.luasoftware.com/tutorials/google-cloud-functions/secure-cloud-functions-with-firebase-authentication/ – MavWolverine Jul 06 '20 at 03:43

Google Identity Platform authentication inside Cloud Functions

1 Answers1