Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google Cloud Run end-user authentication

Tags:

google-cloud-platform

google-cloud-run

I'm using Google Cloud Run for a simple POC web app. My hope was to lean on GCP IAM to handle authentication for the time being, similar to how Identity-Aware Proxy (IAP) can be used in conjunction with App Engine or GKE.

When I gave the Cloud Run Invoker role to a user, I expected authentication to work similar to how IAP does (login redirect auth flow), but I get a 403 error instead. I can curl it setting the Authorization header though.

Is it required to implement authentication in the app for user-facing web applications? I was hoping to do a quick prototype by relying on IAM. If it is required, what would be the recommended way to implement OAuth2 authentication for a simple prototype? Firebase Authentication?

like image 562
Tyler Treat Avatar asked May 10 '19 01:05

Tyler Treat

2 Answers

Run PM here,

Yes, right now you're required to host your own OAuth client, e.g.:

<html>
  <head>
    <title>Google Sign-in + Run</title>
    <script src="https://apis.google.com/js/platform.js"></script>
    <script type='text/javascript' src='https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js'></script>
    <meta name="google-signin-client_id" content="{OAUTH_CLIENT_ID}">
  </head>

  <body>
      <div class="g-signin2" data-onsuccess="onSignIn"></div></br>
    <div>
      <div id="returned-text"></div></br>
      <button id="test">Test</button>
    </div>
    <script>
    var id_token;

    function onSignIn(googleUser) {
      id_token = googleUser.getAuthResponse().id_token;
    }

    $(document).ready(function() {
      $('#test').on('click', function () {
        var serviceURL = 'https://...';

        var xhr = new XMLHttpRequest();
        xhr.open('GET', functionURL);
        xhr.setRequestHeader('Authorization', 'bearer ' + id_token);
        xhr.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
               $('#returned-text').text(xhr.responseText);
            }
        };
        xhr.send();
      });
    });
    </script>
  </body>
</html>

Note that CORS will be wonky here, and we recommend hosting on the same origin to get rid of this (e.g. use the Firebase Hosting integration).

In the future, it's likely we'll offer IAP (which hosts an OAuth client for you).

like image 89
Mike McDonald Avatar answered Nov 13 '22 11:11

Mike McDonald

Inspired by @mike's approach I created a Cloud Run hosted version of an Identity Aware Proxy in a Terraform config.

https://futurice.com/blog/identity-aware-proxy-for-google-cloud-run

like image 21
Tom Larkworthy Avatar answered Nov 13 '22 09:11

Tom Larkworthy
Sign in to Comment

Related questions

http -> https redirect in Google Kubernetes Engine
App Engine: Static Files Not Updating on Deploy
What's the difference between docker BRIDGE and HOST modes?
Getting GCM Registration ID using Firebase
Google Cloud Compute Engine refusing connections despite firewall rule
How can I paste from the clipboard?
gcloud ml-engine local predict RuntimeError: Bad magic number in .pyc file
Delete untagged images on Google Cloud Registry [closed]
gcloud installation permission issue on Ubuntu 12.04
ImportError: No module named google_compute_engine
How to compute for php-fpm child process on a Kubernetes Cluster
Google wants to block OAuth sign-in due to an embedded browser which doesn't exist
Is there an equivalent of AWS "security groups" between App Engine and Compute Engine instances?
Jenkins with Google Cloud Source Repository
SSL with Google App Engine custom domain
Trying to sign up for a free trial
Can Google's AutoML export trained models for offline inference?
How can I specify a region for the Cloud Storage buckets used by Cloud Build for a Cloud Run deployment?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!