Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
234 views
in Technique[技术] by (71.8m points)

Firebase Cloud Function HTTP Request Authorization

I have a scenario where I need to do a secure request a Firebase Cloud Function from an external server using a HTTP request. In order to request it I need to send a bearer JWT token on the authorization header. After sometime looking at the Google documents to Firebase/GCP I've found many different ways to authenticate using google different APIs, but I'm kinda lost on it.

I know that I need to use a service account in order to identify the machine that is calling instead a common human-user credentials. I also know that the service account provides a JSON file that contains secure information to identify that service account, like the private key. By looking different docs I found this one that explains how to generate and request a token. After following those steps, I'm facing a 403 status when I try to call the cloud function using the resulting token.

I doubled checked the roles my service account has and I do have the ones the docs have pointed me.

Does anyone knows or have any suggestions how to proceed to have cloud function authorized calls by a machine (not human) interaction.

Edit 1:

As requested here I'm posting my JWT generator code:

const {
  private_key_id,
  private_key,
  client_email,
} = require('./serviceAccount.json');

const jwt = require('jsonwebtoken');

const payload = {
  "kid": private_key_id,
  "iss": client_email,
  "sub": client_email,
  "iat": 1611257400,
  "exp": 1611260940,
  "aud": "https://oauth2.googleapis.com/token",
  "target_audience": "https://<project- region>.cloudfunctions.net/helloWorld"
};

const token = jwt.sign(payload, private_key, { algorithm: 'RS256', header: {"alg":"RS256","typ":"JWT"} });

console.log(token);

With the result token from above I'm sending a POST request to https://oauth2.googleapis.com/token where the token is sent as the assertion field on a form data.

After suggestions here I did some research and found this blog with instructions to generate a Identity token using my service account. So I ran:

# Load the service account identity
gcloud auth activate-service-account --key-file=key.json
# Generate an id token
gcloud auth print-identity-token

The resulting token gave me the same result a 403 - Forbidden error. The interesting part is that using my user credentials and using gcloud to generate an identity token I was able to request the Cloud function with a 200 result.

I'm thinking that I'm missing some sort of role/privilege/scope on my service account configuration.

question from:https://stackoverflow.com/questions/65837253/firebase-cloud-function-http-request-authorization

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Make sure that the service account has assigned the cloudfunctions.functions.invoke in order to guarantee that the Cloud Function can be triggered from an external server using an HTTP request.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...