Authenticating end users

Most applications handle requests from end users, and it's a best practice to restrict access to only the allowed end users. In order to accomplish this, you can integrate Google Sign-In and grant users the roles/run.invoker IAM role, or implement Firebase Authentication and manually validate their credentials.

Using Google Sign-In

First, you'll need to enable Google Sign-In in your project:

  1. Create an OAuth 2.0 client ID for your app in the same project as the service you want to secure:
    1. Go to the Credentials page.

      Go to the Credentials page

    2. Select the project with the service you want to secure.
    3. Click Create credentials, then select OAuth Client ID.
      1. You may be required to configure your OAuth consent screen before creating a client ID. If necessary, do so in order to continue.
    4. Select the Application type for which you want to create credentials.
    5. Add a Name and Restrictions if appropriate, then click Create.
  2. Re-deploy the service you want to secure. This will ensure that the correct client ID is set on the service.

If you have multiple OAuth client IDs (for example, one each for Android, iOS, and web), you must re-deploy your service(s) after adding each one to ensure the service picks up the change. Similarly, if you delete a client ID, you must re-deploy your service(s) to remove that client ID and deny requests. All client IDs within a project will be accepted.

In your web or mobile app, you'll need to:

  1. Get an ID token for the OAuth client ID:
  2. Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the service.

Cloud Run will validate the auth token and allow the request, or reject the request before the service starts up. If a request is rejected, you won't be billed for that request.

Getting user profile information

If you want to access user profile information, you can pull the token out of the Authorization header and make a request to the Validate Token endpoint.

The body of the ID token should be returned with the following information:

{
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile"
 // and "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

Troubleshooting

If user requests are being rejected and you believe they should be allowed, ensure that users have been granted the roles/run.invoker role, or have the run.routes.invoke permission. Learn more about these in the Cloud Run IAM reference.

Using Identity Platform or Firebase Authentication

If you want to authenticate users using email/password, phone number, social providers like Facebook or GitHub, or a custom authentication mechanism, you can use Firebase Authentication or Identity Platform.

We'll show how to use Firebase Authentication, but the steps are similar for Identity Platform.

First you'll need to set up Firebase Authentication in your project and service:

  1. Set up Firebase Authentication in the Firebase Console.

    Go to the Firebase Console

  2. Import the appropriate Firebase Admin SDK and configure it properly.

  3. Add middleware to your code to verify Firebase ID tokens.

  4. Deploy your service publicly.

In your web or mobile app, you need to:

  1. Use the appropriate Firebase Auth client library to get an ID token:
  2. Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the service.

Getting user profile information

If you want to access user profile information, you can use the Firebase Admin SDK to retrieve user data.

Sample code tutorial for Cloud Run for Anthos on Google Cloud

For a tutorial on authenticating end users for Cloud Run for Anthos on Google Cloud, refer to the tutorial Authenticating end users on Cloud Run on GKE.

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Cloud Run Documentation