0

With AWS Lambda and API Gateway, I can deploy a function exposed with http.

With Cognito and API Gateway, I can protect the function with oauth2 and a jwt token.

With GCP Function and the http-trigger option, I can deploy a function exposed with http.

Is there a "GCP Cognito alternative" I can used to protect my function with oauth2 and a jwt token ?

I have tried with "Identity Platform". I can obtain a (not jwt) token with : https://accounts.google.com/o/oauth2/v2/auth?client_id=[my client id]&redirect_uri=[my redirect uri]&response_type=token&scope=openid

But this give me a 401 : curl -L -v -XGET --header "Authorization: Bearer [the not jwt token]"https://europe-west2-[my project].cloudfunctions.net/my-hello-function"

Thanks !

David Vergison
  • 35
  • 1
  • 10
  • I think you are confused about JWTs, OAuth Access Tokens and OAuth Identity Tokens (which are a Signed JWT). Use Identity Tokens and not JWTs and not Access Tokens. Identity Tokens are Google identities signed by a Google certificate. Your example creates an OAuth Access Token and Identity Token. Parse the returned data and extract the Identity Token (id_token). Your example is using the returned OAuth Access Token (which has no identity information). – John Hanley Jun 10 '20 at 23:43

2 Answers2

1

You can manage access to an HTTP Cloud Function using IAM roles. You will want to assign the roles/cloudfunctions.invoker role to a service account, and have the caller provide the oauth credentials to the function in the Authorization header.

The most relevant walkthrough can be read here.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Is IAM roles the good choice to identify users, like customers ? In my mind IAM was the good choice to identify coworkers, more like a LDAP. – David Vergison Jun 10 '20 at 16:14
  • If you need end-user auth, IAM is probably not what you want. You will need to write code to check the token manually in the function and determine if the user is supposed to be able to do what the function does. Cloud Functions doesn't have infrastructure for dealing with auth systems outside of IAM. – Doug Stevenson Jun 10 '20 at 16:18
  • Of course I'll need to check the token content (scope or perhaps role) manually in each function, but i'd like to have the token validity (signature, timestamp, etc.) check in one place (probably at the edge of the platform). But if there is no "ready" tool, I'll try to use the "Cloud Endpoint" as describe here : https://cloud.google.com/endpoints/docs/openapi/authenticating-users-firebase (thanks for the hint @guillaume-blaquiere !) – David Vergison Jun 11 '20 at 09:59
1

If you want to use Cloud Identity Platform, that is a Google Cloud packaging of Firebase Auth, you can use Cloud Endpoint, which is an API Gateway that accept API Key and firebase auth OAuth2 token.

I wrote an article to explain how to protect your serverless product (Cloud Function, Cloud Run and App Engine) with an API Key. But simply update the security definition with the firebase, and it should work!

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • 1
    It's look promising. And there is everything I need for trying in the terraform module. I'll try this tomorrow ! Thanks – David Vergison Jun 11 '20 at 09:38
  • Damned, "Cloud Endpoints" need a container to provide api management for "Cloud Functions". I guess I'll have to check the token in each function ... – David Vergison Jun 12 '20 at 08:23
  • Google is building a managed product based on Cloud Endpoint and ESP (Extensible Service Proxy). At least same feature, maybe more. I don't have any timeline for this but it will solve your current issue. – guillaume blaquiere Jun 12 '20 at 08:49