Reputation: 8865
How to authenticate as Google service account without a client library but only with HTTP Post?
I want to trigger my Cloud Function via HTTP but also authenticated with IAM and a service account auth0-hook I created therefore.
I generated a private key like this:
gcloud iam service-accounts keys create ~/.gcp-keys/auth0-hook-sa.key.json [email protected]
and applied this service-account to my cloud function.
On the outside - in the Auth0 Hook code - I know need to fetch the credentials first and send the fetched token with the POST request to the Cloud Function endpoint.
My problem here is that I can not use any of the Google Auth client libraries (Node.js in this case) because Auth0 Hooks can not import any fancy libraries as it seems.
I am hereby stuck with only using var request = require('[email protected]'); to make this all work.
I'd like to ask how I can manage this? There is some authentication service I can call right? But what is the API for that one? In the docs I could not find the manual way but only the client library documentations.
Upvotes: 1
Views: 2113
Answers (1)
Reputation: 81434
I am hereby stuck with only using var request = require('[email protected]'); to make this all work. I'd like to ask how I can manage this? There is some authentication service I can call right?
Google does not provide a simple HTTP endpoint that you can call. If you think thru the process, you need the authorization to call an endpoint that generates authorization credentials. Chicken and Egg situation.
Google does not yet accept Auth0 credentials at an endpoint to exchange for Google credentials. However, keep reading for more information about Workload Identity Federation, which can/might provide that ability eventually.
There is no simple answer for your goal of creating an Auth0 hook that can generate a Google Access or Identity Token. Below are details to help understand what is possible.
To go from a Google Cloud service account JSON key file to an Access Token requires libraries also. The process is to create a JWT, sign the JWT, exchange the JWT for an access token. I wrote an article that shows how to do this in Python. The process for Node.js is similar. Your issue is that the process is too complicated for an Auth0 hook.
Google Cloud – Creating OAuth Access Tokens for REST API Calls
Google has recently introduced Google Workload Identity Federation which supports exchanging OIDC tokens for a Google OAuth access token via federation and service account impersonation. The process is just a series of HTTP method calls. I am authoring several articles on how to do this, but I am not finished at this time.
Accessing resources from an OIDC identity provider
One possibility is to create another Cloud Function or Cloud Run service that you can call in a single HTTP GET that creates the tokens for you. That way you can use Google Client libraries. Your Function/Run code would receive an HTTP GET request, interface with the client libraries to create the access token and return the token as the HTTP GET response. However, that creates the Chicken and Egg situation. You need to authorize the request to the Function/Run code to get an access token.
You may want to change strategies and instead disable Cloud Functions authorization and verify the Auth0 Identity Token within your code and skip Google-based authorization.
Auth0: Validate JSON Web Tokens
Pay attention to whatever process you choose as getting authorization correct and secure is not easy.
Note: Your question states "I want to trigger my Cloud Function via HTTP". I am not sure what method you plan to use. If you are using Cloud Functions Authorization, that requires an OAuth Identity Token. That adds more steps to the process. I have not figured out how to do that with Workload Identity Federation, but the Functions/Run code can easily handle that for you.
In summary, Cloud Functions are intended for small, light-weight code in a serverless framework. Once you add authorization, complexity grows. Provided you stick with Google Cloud authorization, everything is easy. Once you try to go from one identity system (Auth0) to another (Google Cloud IAM) the complexity jumps dramatically.
Upvotes: 2
Related Questions
- How do i make post request through google-auth-library?
- Google authentication without user login for server-side use only
- Google cloud functions http authentication
- Authentication in HTTP Google Cloud Functions
- Authenticate Google Cloud Functions using Service Account / IAM
- How to authenticate to Google Cloud API without Application Default Credentials or Cloud SDK?
- authenticating a service account to call a Google API with JavaScript client library
- Authenticating your client to Cloud Endpoints without a Google Account login
- Authenticate Google with Username and Password
- Google sign-in for server-side