functions-samples icon indicating copy to clipboard operation
functions-samples copied to clipboard

Published 20 hours ago verified publisher icon firebase

[DOCS] Firebase idToken and Cloud Function Authorization

Open brunopenso opened this issue 4 years ago • 7 comments

Firebase idToken and Cloud Function Authorization

I was looking to this documentation:

  • https://github.com/firebase/functions-samples/tree/main/authenticated-json-api
  • https://github.com/firebase/functions-samples/tree/main/authorized-https-endpoint

Both documentation are not clear about the following cenario.

I have a user authenticated on firebase and a Firebase IdToken.

When I create a Cloud Function and deploy it to GCP without the allUsers invoker role I always get a 403 response.

It looks like the Firebase idToken is not recognized by GCP Cloud Function IAM handler.

Is there a missing role configuration? Or should I do some other configuration?

Note: I want to avoid using the allUsers invoke rule

brunopenso avatar Aug 29 '21 15:08 brunopenso

A lit bit more information on what I discovered so far

When I send a valid JWT token but from another source I get a 401 http response from cloud functions (the function isn't executed)

When I send a valid JWT token from Firebase, actually the id token, the error code is 403. It means that GCP recognize the JWT token but there is a missing role config.

I also find this blog post but I think this is the wrong path.

brunopenso avatar Aug 29 '21 15:08 brunopenso

@brunopenso I think you must enable the role Cloud Functions Invoker to allUsers who can invoke your cloud functions and verify the id token. And you must ensure that the default account service has Firebase Authentication Admin role to verify id token

tiennampham23 avatar Aug 31 '21 03:08 tiennampham23

Hi, thanks for the answer.

I understand that and i manage to test with allUsers role.

But this is not the ideal flow, because the function will be open for the www.

Is there a way to make works without allUsers role?

brunopenso avatar Aug 31 '21 16:08 brunopenso

@brunopenso "By default, entities that need to invoke an HTTP function must explicitly present authentication credentials (proof of identity) as well as having the required permission"

You see, you must ensure that entities that need to invoke and HTTP functions must have required permissions, and when you use the HTTP function to verify unauthenticated users, you must enable all users who can revoke this function, in this case, this HTTP function like an API endpoint to verify unauthenticated users.

Or you can use event-driven functions that can invoke without enabling permissions to all users.

Check it out: https://cloud.google.com/functions/docs/securing/managing-access-iam#domain_restricted_sharing https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_http_function_invocation

tiennampham23 avatar Aug 31 '21 18:08 tiennampham23

Hi @tiennampham23 ,

I think we have 2 questions here:

  1. First is regarding the documentation that doesn't make clear the function should have allUsers role enabled. My issue here is to improve the documentation to advice the use of allUsers role and the question related to that.
  2. Since Firebase and GCP are from same company the engine that handle authentication on cloud functions should be able to understand, parse and validate the idToken generated from firebase as on of the other tokens.

What do you think? Should I open a PR about the number 1?

Thanks

brunopenso avatar Sep 01 '21 00:09 brunopenso

You need to use allUsers since you actually want all users to run the function.

Then inside the function you check validity of the token using firebase.admin

Op wo 1 sep. 2021 02:53 schreef Bruno Penso @.***>:

Hi @tiennampham23 https://github.com/tiennampham23 ,

I think we have 2 questions here:

  1. One of than is regarding the documentation that doesn't make clear, my issue here is to improve the documentation to advice the use of allUsers role and the question related to that.
  2. Since Firebase and GCP are from same company the engine that handle authentication on cloud functions should be able to understand, parse and validate the idToken generated from firebase as on of the other tokens.

What do you think? Should I open a PR about the number 1?

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/firebase/functions-samples/issues/903#issuecomment-909769766, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACITFWC2H74ZHYMXXKV4CQLT7V2QPANCNFSM5DAK7F2A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

mosa-riel avatar Sep 01 '21 07:09 mosa-riel

For sure @rielzzapps ! I'm doing this.

Lets make clear on the documentation?

brunopenso avatar Sep 02 '21 00:09 brunopenso