0

1.HTTP python client (a script) => 2. GCP API gateway => 3. validate request against firebase => 4. if request valid call cloud function v2 (cloud run)

Python script is generating ID token from refresh token by using 'https://securetoken.googleapis.com/v1/token?#key=myKey And doing a request to API gateway using it.

API gateway config is al follow.

swagger: "2.0"
info:
  title: Test
  description: API to read validated token details
  version: 1.0.0
paths:
  /test:
    get:
      x-google-backend:
        address: URL TO cloud function
      responses:
        "200":
          schema:
            $ref: '#/definitions/UserDetails'
          description: Successful response
      description: Returns details.
      operationId: testID
      summary: Get details from xyz
      security:
        - firebase: []
  .
  .
  .

definitions:
  UserDetails:
    title: Root Type for UserDetails
    description: User details object created from information in headers
    type: object
    properties:
      userId:
        type: string
      email:
        type: string      
securityDefinitions:
  firebase:
    flow: implicit
    authorizationUrl: ''
    scopes: {}
    type: oauth2
    x-google-issuer: "https://securetoken.google.com/*********"
    x-google-jwks_uri: "https://www.googleapis.com/***"
    x-google-audiences: "******"

This is working fine. I want to make this HTTP python client (a script) public. But i think it is not safe to expose https://securetoken.googleapis.com/v1/token?#key=myKey URL which is getting used to generate idToken from refreshToken(User will use his refresh token from our website). How do i make my HTTP python client (a script) public securely ?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Djai
  • 188
  • 10

1 Answers1

1

They can be exploited to access the resources they allow access to, it is dangerous to make your refresh token and API key available to the general public. Instead of having the Python script make a direct connection to the https://securetoken.googleapis.com/v1/token endpoint, you may have the script make a request to a server-side application under your control, which then performs the API call and delivers the ID token to the client.

To make your HTTP Python client public securely, use SSL encryption, validate incoming requests, limit access to sensitive information, monitor for security threats, and keep your software up to date.

You may want to check this documentation to use the best practices when using SSL encyption.

Chanpols
  • 1,184
  • 1
  • 3
  • 13