0

I've got a GCP Cloud Function which validates authentication of Firebase Authentication, i.e. looking for an Authentication header with an idToken value. I want to write a script that will allow a user to authenticate and make a call to that function. This is what I currently have:

from google_auth_oauthlib import flow
import httpx

appflow = flow.InstalledAppFlow.from_client_secrets_file(
    'client_secret.apps.googleusercontent.com.json',
    scopes=['openid',
            'https://www.googleapis.com/auth/userinfo.email',
            'https://www.googleapis.com/auth/userinfo.profile'],
)
creds = appflow.run_local_server()
print(creds.valid)

response = httpx.post(
    'https://us-central1-myproject.cloudfunctions.net/myfunction',
    headers={'Authorization': 'Bearer ' + creds.id_token}
)
print(response.status_code)
print(response.text)

I am getting an Unauthorized error from the Cloud Function when invoking the script and signing in with a valid user, and it looks like the Cloud Function fails to authenticate creds.id_token.

What am I missing?

EDIT

On the backend side, I decoded the verifyIdToken error and got the following:

Firebase ID token has incorrect "aud" (audience) claim.

I think this ID token is not the correct one.

galah92
  • 3,621
  • 2
  • 29
  • 55
  • Verify that **creds.id_token*** is valid (present). – John Hanley Jun 08 '22 at 23:06
  • It is, I see a good value there and able to decode it with https://token.dev/ – galah92 Jun 08 '22 at 23:58
  • Is the identity in that token authorized at the resource (Cloud Function) and what IAM permissions are assigned at the resource for that identity? – John Hanley Jun 09 '22 at 00:41
  • Admin permission (I am the Admin of that GCP project). Can it be related to the request scope, maybe? – galah92 Jun 09 '22 at 00:43
  • The IAM role at the Project resource is not relevant. What is the IAM role assigned to the Cloud Function (it has its own IAM section). OIDC Identity Tokens do not have scopes. They are used for identity-based access control and not role-based access control. – John Hanley Jun 09 '22 at 00:45
  • Oh, the Cloud Function is publicly available. Authenticate validation is done in code using Firebase library. This validation passes when the functions is being called from the Frontend application when the user connects via Firebase client library. – galah92 Jun 09 '22 at 05:24
  • 1
    If you put an Identity Token in the Authorization header, the Google Frontend (GFE) will validate that token and in some cases modify the ID Token. I am not sure what happens if the token is valid, but you have a public function. In any event, you should not use the HTTP Authorization header for your own purposes. Choose a different header name. – John Hanley Jun 09 '22 at 06:42
  • Did you try to add the cloudplatform scope? – guillaume blaquiere Jun 09 '22 at 11:26
  • @guillaumeblaquiere do you mean `https://www.googleapis.com/auth/cloud-platform`? I tried it and it didn't help – galah92 Jun 09 '22 at 12:29
  • @JohnHanley but I'm using the suggest code from Firebase Auth lib to validate ID Tokens generated from the client-side libraries. Please see the edit to my question, thanks. – galah92 Jun 13 '22 at 00:47
  • Does this answer your question? [Firebase Auth ID token has incorrect "aud" claim](https://stackoverflow.com/questions/38335127/firebase-auth-id-token-has-incorrect-aud-claim) – Martin Zeitler Jun 13 '22 at 01:42
  • @MartinZeitler Not really, because it describe a flow where ID Token is generated from Firebase client-side libraries. I'm using Python's `google_auth_oauthlib` flow as describe above. – galah92 Jun 13 '22 at 01:43

0 Answers0