0

I have a private http service (e.g. AdminAPIService) running in Google Cloud Run behind its authentication feature, and it is configured through Cloud Run to accept requests from certain set of users in my org. This service is running behind https://admin.mycompany.com.

In order for my private client app (SPA) to make successful AJAX calls to the service, they need to have google idToken to http header like Authorization: Bearer ID_TOKEN per guideline, and Google Cloud Run will reject requests if the token is missing or if token owner is not one of the authenticated ones managed in Cloud Run.

The thing is that my client app runs on https://admin-ui.mycompany.com, (which itself is also only accessible after going through custom OAuth2 logi due to confidential UI data, so I avoided Firebase Hosting). The app is seeing CORS error while making AJAX requests to my AdminAPIService, because they have different subdomains. Below is an error dialog.

Access to XMLHttpRequest at 'http://admin.mycompany.com' from origin 'http://admin-ui.mycompany.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`

I wish I can serve my client app on https://admin.mycompany.com so that I don't have to deal with CORS policy, and that is what I want to do. However, that is not possible because Cloud Run requires all requests to have Id Token in header if service is authenticated, and users won't be able to even load the client app from the browser. (I tried to find a way to manipulate http header during page load to pass through cloud run authentication, but it looks like http header is only accessible/modifiable while making AJAX requests.. and not during browser page load)

Do I really need to mark most of my APIs in AdminAPIService to allow CORS from different origin to solve this issue?

Or.. is there a way to create an exception for authentication such as for specific http path?

For another possible approach, I looked through Google Cloud Endpoints' OpenAPI based authentication using Google ID token but that seems to accept requests from any authenticated users, not just selected few, as long as they are signed in with google for access token. This means that I will have to verify permissions in my AdminAPIService again.

user482594
  • 16,878
  • 21
  • 72
  • 108
  • 1
    There's a very similar question already [existing](https://stackoverflow.com/a/55873861/11641073) provided by the Cloud Run Product Manager which proposes two possible solutions to the CORS issue. – bhito Nov 26 '19 at 13:34
  • Mike is a great guy, but it's no longer a Googler, sadly :( – guillaume blaquiere Nov 26 '19 at 19:41

0 Answers0