애플리케이션이 사용자의 요청을 처리할 경우 허용된 사용자로만 액세스를 제한하는 것이 가장 좋습니다.
사용자는 일반적으로 Google Cloud프로젝트 또는 Cloud Run 서비스에 대해 IAM 권한이 없습니다.
사용자를 두 가지 유형으로 구분합니다.
최종 사용자: 조직에 반드시 속할 필요가 없는 애플리케이션 사용자입니다. 일반적으로 직접 계정을 등록해야 합니다.
내부 사용자: 조직의 관리자가 애플리케이션에 액세스할 수 있는 권한을 명시적으로 부여하며 일반적으로 조직에 속합니다.
최종 사용자 인증
이메일/비밀번호, 전화번호, Google, Facebook이나 GitHub와 같은 소셜 공급자 또는 커스텀 인증 메커니즘으로 사용자를 인증하려는 경우에는 Identity Platform을 사용하면 됩니다.
Firebase 인증 사용 방법은 Identity Platform 사용 방법과 비슷합니다.
로그인 과정을 처리하고 Cloud Run 서비스에 인증된 API 호출을 수행하는 공개 웹 또는 모바일 앱이 있어야 합니다.
이 공개 웹 앱 자체는 공개 Cloud Run 서비스에서 호스팅될 수 있습니다.
최종 사용자 인증에 Identity Platform을 사용하는 방법에 대한 전체 튜토리얼은 Cloud Run용 최종 사용자 인증 튜토리얼을 참조하세요.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Authenticating users\n\nIf your application handles requests from users, it's a best practice to\nrestrict access to only the allowed users.\nUsers do not typically have IAM permission on your Google Cloud\nproject or Cloud Run service.\n\nWe distinguish two types of users:\n\n- [**End users**](#cicp-firebase-auth): Users of your application who do not necessarily belong to your organization. They typically need to register an account for themselves.\n- [**Internal users**](#internal): Users who are explicitly granted access to your application by an administrator in your organization. They typically belong to your organization.\n\n| **Note:** Cloud Run does not assist in the sharing of sessions between instances and does not guarantee session affinity to a specific instance.\n\nAuthenticating end users\n------------------------\n\nIf you want to authenticate users using email/password, phone number, social\nproviders like Google, Facebook or GitHub, or a custom authentication mechanism,\nyou can use [Identity Platform](/identity-platform/docs).\nUsing [Firebase Authentication](https://firebase.google.com/docs/auth)\nis similar to using Identity Platform.\n\nYou need a public web or mobile app that handles the sign-in flow and then makes\nauthenticated API calls to a Cloud Run service.\nThis public web app can itself be hosted on a [public Cloud Run\nservice](/run/docs/authenticating/public).\n\nFor a complete tutorial on using Identity Platform for end user authentication, refer to\nthe [End user authentication for Cloud Run](/run/docs/tutorials/identity-platform)\ntutorial.\n\n1. Add code to your Cloud Run service to [verify ID tokens](https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_the_firebase_admin_sdk).\n\n2. [Deploy your Cloud Run service publicly](/run/docs/authenticating/public).\n\n3. [Set up Identity Platform in your project](/identity-platform/docs/how-to)\n\n4. Do the following in your web or mobile app:\n\n 1. Use the appropriate Firebase Auth client library to get an ID token:\n - **Android** : Use the [`GetTokenResult().getToken()`](https://firebase.google.com/docs/reference/android/com/google/firebase/auth/GetTokenResult) method.\n - **iOS** : Use the [`User.getIDTokenResult(completion:)`](https://firebase.google.com/docs/reference/swift/firebaseauth/api/reference/Classes/User#getidtokenresultcompletion) method.\n - **Web** : Use the [`firebase.User.getIdToken()`](https://firebase.google.com/docs/reference/js/auth.user.md#usergetidtoken) method.\n 2. Include the ID token in an `Authorization: Bearer `\u003cvar translate=\"no\"\u003eID_TOKEN\u003c/var\u003e header in the request to the service.\n\nYou can use any of the following methods to access user profile information:\n\n- Use the Firebase Admin SDK to make a network request to [retrieve user data](https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data).\n- Use a [Google API Client Library](https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library) to retrieve user data using the method best suited for your chosen runtime.\n\nFor an end-to-end walkthrough of an application using this authentication technique,\nfollow the [end user authentication for Cloud Run tutorial](/run/docs/tutorials/identity-platform).\n\nAuthenticating internal users\n-----------------------------\n\nFor internal user authentication, use [Identity-Aware Proxy](/iap).\n\nTo set up Identity-Aware Proxy for a Cloud Run service, see [Configure Identity-Aware Proxy for Cloud Run](/run/docs/securing/identity-aware-proxy-cloud-run).\n\nFor preflighted [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\nrequests with authenticated Cloud Run services, we recommend that you\n[Configure IAP for Cloud Run](/run/docs/securing/identity-aware-proxy-cloud-run)\ninstead of using IAM authentication. This lets you configure\nIAP to [allow unauthenticated OPTIONS requests](/iap/docs/customizing#allowing_http_options_requests_cors_preflight),\nwhich satisfies the browser's preflight check while ensuring that all other\nrequests are authenticated.\n\nEven when IAP allows the OPTIONS request, the application code\nyou deploy to Cloud Run must still handle the CORS preflight\nrequest and the actual request that follows by sending the appropriate CORS\nheaders.\n\nTo learn how to authenticate users or service accounts to an Identity-Aware Proxy-secured\nCloud Run service using OAuth 2.0, refer to the documentation for\n[Programmatic authentication](/iap/docs/authentication-howto)."]]