How to protect my http-triggered GCP Function with oauth/jwt?

Question

With AWS Lambda and API Gateway, I can deploy a function exposed with http.

With Cognito and API Gateway, I can protect the function with oauth2 and a jwt token.

---

With GCP Function and the http-trigger option, I can deploy a function exposed with http.

Is there a "GCP Cognito alternative" I can used to protect my function with oauth2 and a jwt token ?

---

I have tried with "Identity Platform". I can obtain a (not jwt) token with : https://accounts.google.com/o/oauth2/v2/auth?client_id=[my client id]&redirect_uri=[my redirect uri]&response_type=token&scope=openid

But this give me a 401 : curl -L -v -XGET --header "Authorization: Bearer [the not jwt token]"https://europe-west2-[my project].cloudfunctions.net/my-hello-function"

Thanks !

Answer 1

If you want to use Cloud Identity Platform, that is a Google Cloud packaging of Firebase Auth, you can use Cloud Endpoint, which is an API Gateway that accept API Key and firebase auth OAuth2 token.

I wrote an article to explain how to protect your serverless product (Cloud Function, Cloud Run and App Engine) with an API Key. But simply update the security definition with the firebase, and it should work!

Answer 2

You can manage access to an HTTP Cloud Function using IAM roles. You will want to assign the roles/cloudfunctions.invoker role to a service account, and have the caller provide the oauth credentials to the function in the Authorization header.

The most relevant walkthrough can be read here.