how to use Apigee to protect Google cloud function...

Report Inappropriate Content · 03-30-2018 01:41 PM

Hi,

Use Case:

I have a serverless architecture in my product. I authenticate the general user on the web using firebase authentication. Say the end user uses the product page that requires data from the backend i.e. calls an api endpoint to retrieve the data. But just before calling the end point currently I get firebase token and pass that token in the authorization header "Bearer".

In the cloud function I validate the token that the frontend is passing and I return 204 CORS and then the logic of retrieving data.

Request:

How can I use Apigee Edge to validate the firebase generated token and then allow end point call? I wish not to authenticate using apigee or generate tokens using apigee as I am already using firebase for that purpose.

Thanks in advance for your help.

Cheers,

Vinayak

rgonzalez-1

Which firebase auth option are you using? firebase-ui? sdk (user-pass, federated, custom, etc.)?

Report Inappropriate Content

Hi Ruben, thanks for your reply. I use firebase javascript for login. Retail customer having Facebook, Twitter, Gmail logs into the application using firebase.auth().signinWithRedirect(provider); Once he is logged in to the app/webapp then I get the firebase token and pass it in authorization header to the GCF microservice. In the microservice I determine if the firebase session is valid and then grant access to database query for retrieving data.

Cheers,

Vinayak

rgonzalez-1

You'll need to import the externally generated access tokens (oauth 2.0) into Edge. Here are the docs and a sample implementation.

There's only a difference in your scenario: you already obtained a firebase access token in your web app (javascript). Here are the steps you'll need to follow:

1) You'll need to send your client_id (generated in edge with an app) and the obtained firebase access_token to edge.

2) Make sure that the access token is valid (use a Javascript policy or Service Callout policy to validate it against firebase).

3) import the access_token.

There's another option. Looking into the firebase docs I found an option to exchange a provider (

(google, facebook,etc.) acces_token for a firebase access token in a Node.js app. So you could set up all your provider auth logic in a node.js app in edge and then import the access token.

Let me know if it works for you.

Report Inappropriate Content

Awesome Ruben. Thanks, I will try out the logic.

One quick question... In step 1 I need to pass Client_ID only along with Firebase token from the web app? No client secret?

If yes, it solves my greatest worry. I was concerned that if I have to send client_id and client_secret via web app e.g. PWA in my case, then the client secret is exposed in the code. So I was searching for last couple of days how to prevent client api secrets either using Redis or some vault mechanism.

rgonzalez-1

That is up to you. This solution will force a 3-legged oauth flow (implicit/auth_code) into a client_credentials flow. If you don't have a backend, then the client_id (and secret if you decide to validate it) will get compromised no matter what. But this doesn't matter. What matters is the logic to make sure the access tokens are valid for your firebase app. Apigee will only track app traffic (client_id), not end user data for analytics, however, apigee will import and validate the end user access token (firebase token).

skare

Does this CORS issue resolved? I am also struggling with this and haven't found any resolutionary stepstill now? If so could you please add detailed resolution steps as I am very new to cloud and very much disappointed due to GCF behaviour?

how to use Apigee to protect Google cloud functions on firebase?