Reputation: 53
To authenticate the client that invokes Google cloud function in Java
I have a google cloud function in Java. Client will invoke the function using HTTP trigger URL.
But that is not secure. I have gone through some docs saying that you should pass a token or client ID and then verify it in server side.
Can anyone explain that in detail and please provide a code example if any.
My doubt is to authenticate the client while they invoke the function using Http trigger
Upvotes: 0
Views: 683
Answers (2)
Reputation: 75810
This page explains quite well all the capacity that you have to authenticate a requester on Cloud Functions.
If you have users, the best way is to use Firebase Auth (our Google Cloud Identity Platform which is simply a more advance solution than Firebase Auth with more features)
However, you need to grant all you user with cloudfunction.invoker role, to allow them to invoke the Cloud Functions. It could be difficult. You can also perform the check on your side, but in this case you remove the security (filter) layer of google and you have to check all the traffic by yourselves (not really safe, in term of billing and in case of attack).
The latest solution, API keys, is not recommended, especially for the users. But for machine to machine it's sometime the only solution. However, there isn't out of the box solution and for this I wrote an article, that explains how to create a Cloud Endpoint (or now a Cloud API Gateway which is the serverless solution of Cloud Endpoint with ESPv2) to accept API Keys.
With this latest solution, if you change your security definition, you can also accept OAuth2 tokens coming from Firebase Auth (or Cloud Identity Platform), but this time, you don't need to grant all the users on your Cloud Functions IAM role. The token only need to be valid and it's the Cloud Endpoint service account which is used to perform the call (and thus which needs to be authorized on the Cloud Functions).
In addition, because you can accept OAuth2 token, you can also accept non Google token, and thus have your users in any IDP OAuth2 compliant (KeyCloak, Okta,...)
Upvotes: 2
Reputation: 919
You could use external OAuth server like keycloack (https://github.com/keycloak/keycloak), or use somethging like Json Web Tokens -- https://jwt.io/ -- available for various languages, siutable for microservices.
Upvotes: 0
Related Questions
- Authenticate calls to Google Cloud Functions programmatically
- How do I authenticate with my Google Cloud Function when using my Firebase App with Google Sign In?
- How do I set up a Google Cloud Function with Authentication?
- How to authenticate google cloud function for HTTP trigger?
- How to auth google cloud API from Java in the same way I authenticated with gcloud CLI
- Receiving 401 when accessing authenticated Google Cloud Function
- Authenticate Google Cloud Function Call outside GCP Environment
- Google Cloud Platform - cloud functions API - 401 Unauthorized
- Authenticating with Google API library for Java to Google cloud
- Authenticate client call to Cloud Function in Golang using service account