Re: Authenticating requests with Cloud Run generated JWT

[Tomasz Boczkowski]

Hi!

If my understanding is correct, you use service account JWT tokens to authenticate requests issued by mobile clients. You don't want to distribute the private key used to generate the tokens in the application.

Service Account JWT tokens are intended to be used by the services under your total control, preferably running on a server. For mobile clients, the recommended approach is to use Google ID tokens (https://cloud.google.com/api-gateway/docs/authenticating-users-googleid) or Firebase tokens (https://cloud.google.com/api-gateway/docs/authenticating-users-firebase) Both of those are technically JWT tokens. However they are issued and signed by the token provider and you don't have to implement token generation yourself.

Best regards,

  Tomasz

On Fri, Feb 19, 2021 at 2:54 PM Jano ETA <jdemey...@gmail.com> wrote:

Good day,

I have deployed a Gateway which routes traffic to Cloud Run containers and called from a web application with a service account credentials file. The gateway makes use of an API key and a JWT for authentication and, so far, all calls made with a JWT that was created from the p12 service account credentials file have successfully authenticated without issues or fail. 

The problem I have is that I am expanding the applications that should be able to make requests, which now includes mobile applications and desktop applications. For security reasons, I do not want to distribute the credentials file with the applications. I was able to create an additional LogIn function in the Cloud Run backend, which retrieves a google generated JWT for the linked service account from the metadata. However, when I add a security profile for this generated JWT in the configuration file, Gateways complains that there is no JWT attached to the request.

Any advice regarding whether I am pursuing the wrong avenue for application authentication or whether this might actually be a bug in Gateways or a config file setup issue would be greatly appreciated.

Kind regards

Jano

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/274f0a6d-a420-487d-b206-e55ee8247463n%40googlegroups.com.

[Jano ETA]

Hi Tomasz,

Thank you for the feedback and the documentation links, I was able to implement Google ID tokens for authentication successfully.

Kind regards,

Jano