How to authenticate a cloud function in a remote API - firebase

I want to protect an API endpoint that is used by a Firebase cloud function. My plan was to use the authentication system of Firebase by using custom tokens generated in Firebase with the createCustomToken() method, send them with the Authorization header and then validate those in the API. I tried doing this with verifyIdToken() but it turns out that this is the wrong approach.
How can I validate custom tokens in my API, or what is the recommended approach here?

Related

Getting Firebase Bearer token by simple HttpCall (REST API)

I am currently facing the following situation.
Sending Firebase Messages via HttpCall via the google API endpoint:
https://fcm.googleapis.com/v1/projects/projectName/messages:send
Here we have to use OAuth2.0 with a valid Bearer Token like discussed in this question:
What Bearer token should I be using for Firebase Cloud Messaging testing?
After following these steps I was able to send Firebase Messages via the google API.
Now I would like to get the Bearer Token via a HttpCall without doing the manual step with the Playground https://developers.google.com/oauthplayground.
I cannot find any documentation on how to "Exchange authorization code for tokens" via simple HttpCall. I have no possibility to implement any code because I would like to send Firebase messages inside a "Dataverse Cloud Flow/PowerAutomate", therefore no possibility to load any external DLL (like the Firebase Admin Dll, which would implement this functionality).
I am not,looking for a solution which depends on external Dll like https://firebase.google.com/docs/database/rest/auth#authenticate_with_an_access_token or Pre-RequestScript
Any help is appreciated
What you are after is fundamentally not possible, since you can't hook the result of the bearer token into the same URL process to send messages. By the sounds of it you are unable to fetch one URL, process the results from that URL to pass onto the other which is what the REST API would do.
As such, you will need a secondary service that you can simply send messages to and it will invoke the Message and authentication for you, a bridge as you will. You can use Firebase Cloud Functions with an onRequest call or a simple express server on a Google Compute Engine instance (f1 free tier).
Then you can send your message request from your service to this bridge which will authenticate for you and send the message, it would be a fairly simple script to implement, specially with the admin-sdk.

Question regarding using both Firebase and REST APIs in application

I have been creating a flutter app and am using firebase for authentication.
Is it possible and best practice to use the firebase only for the authentication and use REST APIs via http package for the CRUD operations instead of using cloud firestore?
Yes, it sure is possible, and common. If you want to send the user credentials to your backend for verification, you should use the Firebase Admin SDK to verify a user ID token.

Does Authenticated Cloud Run instance natively support Firebase Authentication?

I have read this page a few times it implies and does not imply that if I enable authentication when deploying a Cloud Run instance I can use Firebase Auth to get through to the service.
I tried passing in a valid Firebase user idToken and did not get through. Was I doing something wrong or is the only way to get through to Cloud Run when Authentication is enabled to use google sign in?
Steps to reproduce:
When deploying to Cloud Run select Yes for authenticated
Generate a firebase auth token using REST call from here
make api call to Cloud run instance using header bellow and ID_TOKEN from step 2 above
Authorization: Bearer ID_TOKEN
According with the comment, the use case is to authorize only the registered, and the authenticated user (with Firebase auth), to use a Cloud Run endpoint deployed privately.
You can't do it directly, you need to use an additional layer. Here I propose to use Cloud Endpoint. I wrote an article on this to set up an authentication with API Key.
You have the principles of Cloud Endpoint there. You simply have to change the security definition from API Key to Firebase auth. You can found documentation here
Note: The authentication methods can evolved the next quarters. Stay tuned

Pass user auth to Firestore from Cloud functions

So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.
I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.
But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.
Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.
As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.

generating access token in Cloud Functions for service-service auth

I am trying to establish service-service authentication between Cloud Functions and Cloud Endpoints.
I am trying to send a HTTP request inside a Firebase Cloud Function to my API running on Google App Engine and managed by Google Cloud Endpoints.
As stated in google docs, the service account that Firebase Cloud Functions uses is ____#cloudservices.gserviceaccount.com
I added that issuer in the security definition of my openAPI config(cloud endpoints). However, I could not find a way to create an access token in Cloud Functions of that service account.
How can I generate an access token in Cloud Functions to authenticate itself to Cloud Endpoints? How am I supposed to sign the JWT on cloud functions to request an access token?
Use Application Default Credentials.

Resources