Authenticating users

If your application handles requests from users, it's a best practice to restrict access to only the allowed users. Users do not typically have IAM permission on your Google Cloud project or Cloud Run service.

We distinguish two types of users:

  • End users: Users of your application who do not necessarily belong to your organization. They typically need to register an account for themselves.
  • Internal users: Users who are explicitly granted access to your application by an administrator in your organization. They typically belong to your organization.

Authenticating end users

If you want to authenticate users using email/password, phone number, social providers like Google, Facebook or GitHub, or a custom authentication mechanism, you can use Identity Platform. Using Firebase Authentication is similar to using Identity Platform.

You need a public web or mobile app that handles the sign-in flow and then makes authenticated API calls to a Cloud Run service. This public web app can itself be hosted on a public Cloud Run service.

For a complete tutorial on using Identity Platform for end user authentication, refer to the End user authentication for Cloud Run tutorial.

  1. Add code to your Cloud Run service to verify ID tokens.

  2. Deploy your Cloud Run service publicly.

  3. Set up Identity Platform in your project

  4. Do the following in your web or mobile app:

    1. Use the appropriate Firebase Auth client library to get an ID token:
    2. Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the service.

If you want to access user profile information, you can use the Firebase Admin SDK to retrieve user data.

For an end-to-end walkthrough of an application using this authentication technique, follow the end user authentication for Cloud Run tutorial.

Authenticating internal users

For internal user authentication, you can use Identity-Aware Proxy.

To set up Identity-Aware Proxy for an existing Cloud Run service, refer to the documentation for enabling Identity-Aware Proxy for Cloud Run.

For instructions of how to authenticate users or service accounts to an Identity-Aware Proxy-secured Cloud Run service using OAuth 2.0, refer to the documentation for Programmatic authentication.