DEV Community

GCP Api Gateway: Firebase Authentication

Alex Mammay on September 23, 2020

Google Cloud Platform Api Gateway github repo --> here What is API Gateway? As per the documentation, Api gateway is a fu...
Collapse
 
rhernand3z profile image
Rafael H

Great article @amammay ,

I am trying to accomplish something similar but with an API key approach. I followed similar steps and changed the openapi yml to use API key as the security definition. Unfortunately, I keep getting 403 errors even after I created an API key with no restrictions. Would you have some tips when integrating API Gateway with API keys on Cloud Run? Appreciate your help

Collapse
 
amammay profile image
Alex Mammay

Yea sure thing! ill dig into it, and write up a post about it 😀

Collapse
 
amammay profile image
Alex Mammay

@rhernand3z after doing a bit of digging the main thing i could see you having problems with api key auth is to make sure you have this in your security definition

securityDefinitions:
  # This section configures basic authentication with an API key.
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"
Enter fullscreen mode Exit fullscreen mode

and in addition to create the api key entry for

API_ID specifies the name of your API.
PROJECT_ID specifies the name of your Google Cloud project.

gcloud services enable API_ID.apigateway.PROJECT_ID.cloud.goog

i believe you still need to run that command even if your api key is set to unrestricted to create the entry in GCP behind the scenes.

Thread Thread
 
rhernand3z profile image
Rafael H

Hey Alex,

I'll give this a shot, I didn't execute the last step via gcloud services enable..., might have been the culprit. Thanks for digging into this 👍

Thread Thread
 
rhernand3z profile image
Rafael H

Hey @amammay -- I was able to get it working properly. You were right the culprit was not executing:

gcloud services enable ...

Thanks for your help and a great article!

Collapse
 
evanegasveredata profile image
Ernesto Vanegas • Edited

Hi Alex @amammay ! Thank you for the article! It's good to see that the google product is starting to get traction because there's still missing some documentation around it. I have a case where I am trying to use two security methods: api-key OR firebase. But whenever I place the firebase authentication, it only works with that one. Any pointers to solve this?


securityDefinitions:
api_key:
type: "apiKey"
name: "x-api-key"
in: "header"
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "securetoken.google.com/YOUR-PROJEC..."
x-google-jwks_uri: "googleapis.com/service_accounts/v1..."
x-google-audiences: "YOUR-PROJECT-ID"
schemes:

  • https produces:
  • application/json paths: /scoring: post: summary: Score operationId: score-v1 security: - api_key: [] - firebase: [] x-google-backend: address: MYBACKEND responses: '200': description: OK '401': description: Not authorized

If I use firebase it works, but if I use api-key it says:

{
"message": "Jwt is missing",
"code": 401
}

Collapse
 
amammay profile image
Alex Mammay

hmmm that is quite interesting, it seems as your swagger definition looks good. Ill have to give it a try and see if it produces similar results

Collapse
 
evanegasveredata profile image
Ernesto Vanegas

@amammay So... i've tried recreating the gateway, changing different alternatives of security order but nothing. I've created a bug in their issue tracker but I think it will take some time to fix...
issuetracker.google.com/issues/186...

Collapse
 
phillduffy profile image
Phill Duffy

There doesn't seem to be a lot of help around this online, thank you for your post.

I have a question around verifying the token, I am using NodeJS.

I am able to get the User information out of 'X-Apigateway-Api-Userinfo' - I am not sure if I need to use the Admin SDK to verify this Token, or whether I now just pull out the information, like you do, and trust the token has been verified - is that right?

Collapse
 
amammay profile image
Alex Mammay

Yea, you should be able to pull the base64 encoded token straight from X-Apigateway-Api-Userinfo. Once you grab the header you should be to do base64 decode on it and it will have the correct json stucture

Collapse
 
techd1984 profile image
techd1984

Hi Alex, Nice article @amammay

I've a cloud run in private mode with only authenticated users enabled, I'm not sure how'd I authenticate with firebase and where do you get the token from? As per other documents it looks like you need another layer for authentication and this model won't work in case cloud run is private and no-allow-unauthenticated and since cloud run supports IAM what'd be the use of this in that case?

Collapse
 
amammay profile image
Alex Mammay

@techd1984 sorry for getting back to you late, but the overall flow is like so

your web app (managing your users with the firebase js sdk for them to sign in etc.) get their firebase auth token --- http call with auth in header ---> api gateway (api gateway contains the auth definition to say to use firebase auth to verify access to the endpoint specified in the yaml file --- api gateway proxies request to your cloud run endpoint using service account credentials ---> your private cloud run endpoint.

this allows you to make sure native GCP iam is used to access the raw cloud run url, and only a subset of your endpoints is exposed to your users with firebase auth. As for auth with firebase... check out this video to get some more context around firebase youtube.com/watch?v=9kRgVxULbag at the end of the day you would just be calling api gateway with your end users tokens.

Collapse
 
andrefedev profile image
Andres Osorio

I have a question, how can we change the url of the gateway api for our custom domain. And what is the difference with Google Cloud Endpoints?

Collapse
 
amammay profile image
Alex Mammay
  1. So currently you cant assign a custom domain to api gateway yet, i would imagine some point in the future you could register a custom domain to it. (either via some native control or at a GCLB level to map as a Serverless NEG)
  2. The difference between this and cloud endpoints is that this is a managed service that you don't have to worry about running the underlying infrastructure to.
Collapse
 
chengchinlim profile image
Cheng Chin Lim

Hi, if the requests are unauthenticated, will they still be passed to our services (App Engine)? I am afraid of getting a huge bill due to DDOS attack. Thank you.

Collapse
 
amammay profile image
Alex Mammay

The requests will not be forwarded to the target endpoint if the auth is missing (as long as you have auth strictly defined within your open api spec).