Why can't I use `allAuthenticatedUsers` for my Firebase Cloud Function?

Question

When deploying Firebase Functions using the Firebase CLI, they are configured so that the Cloud Functions Invoker permission is granted to allUsers. With such a setting the code below functions as expected.

The Cloud Functions Invoker permission can also be granted to allAuthenticatedUsers. However, when I implement this change for addMessage, I only ever get a UNAUTHENTICATED error response using the code below.

Why won't allAuthenticatedUsers work for this Firebase Cloud Function?

---

Note: This Q&A is a result of a now-deleted question posted by Furkan Yurdakul, regarding why allAuthenticatedUsers wasn't working with his Firebase Callable Function for his Firebase app

---

MWE based on the documentation, with addMessage defined here:

firebase.auth().signInAnonymously() // for the sake of the MWE, this will normally be Facebook, Google, etc
  .then((credential) => {
    // logged in successfully, call my function
    const addMessage = firebase.functions().httpsCallable('addMessage');
    return addMessage({ text: messageText });
  })
  .then((result) => {
    // Read result of the Cloud Function.
    const sanitizedMessage = result.data.text;
    alert('The sanitized message is: ' + sanitizedMessage);
  })
  .catch((error) => {
    // something went wrong, keeping it simple for the MWE
    const errorCode = error.code;
    const errorMessage = error.message;

    if (errorCode === 'auth/operation-not-allowed') {
      alert('You must enable Anonymous auth in the Firebase Console.');
    } else {
      console.error(error);
    }
  });

Answer 1

Simply put, if the ID token passed to a Cloud Function represents a Google account (that used Google Sign-In through Firebase or Google itself), it works, otherwise, it doesn't.

Think of allAuthenticatedUsers as allAuthenticatedGoogleUsers instead of allAuthenticatedFirebaseUsers.

Background Information

For Callable Firebase Functions used with the Firebase Client SDKs, you will normally grant allUsers the permission to call it (the default setting Firebase CLI deployed functions).

A valid authenticated client request for a Google Cloud Functions must have an Authorization: Bearer ID_TOKEN header (preferred) or ?access_token=ID_TOKEN. Here, ID_TOKEN is a signed-in Google user's ID token as a JWT.

When Firebase Client SDKs call a Callable Function, they set the Authorization header for you with the current user's ID token (if the user is signed in, here). This is done so that the user's authentication token can be used in the context parameter of onCall() functions. Importantly though, a Firebase user's ID token doesn't always represent a Google user which makes it incompatible with allAuthenticatedUsers.

Because of this, you will have to gate your callable function in your code by checking context.auth and it's properties like below.

export const addMessage = functions.https.onCall((data, context) => {
  if (!context.auth) {
    // Throwing a HttpsError so that the client gets the error details.
    throw new functions.https.HttpsError(
      'failed-precondition',
      'The function must be called while authenticated.'
    );
  }

  // a valid user is logged in

  // do work
});

---

Addendum on 403 Forbidden Errors

If your function is consistently throwing a 403 error after being deployed, this is likely because you are using an outdated copy of the Firebase CLI, as highlighted in the documentation:

Caution: New HTTP and HTTP callable functions deployed with any Firebase CLI lower than version 7.7.0 are private by default and throw HTTP 403 errors when invoked. Either explicitly make these functions public or update your Firebase CLI before you deploy any new functions.