Access from firebase functions to app on GCE behind Identity Aware Proxy

[Guy Rom]

Hi,

I was trying to follow this guide https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account and others in order to allow firebase function to access another app/API on GCE behind IaP which requires an authorized JWT.

I've tried few methods and approaches which all failed and doesn't work.

Approach 1 - using googleapis auth lib with 'auth.getClient()' - I managed to get this to work locally when serving the function, locally this method return JWT object which I can provide the 'additionalClaims' (with 'target_audience' property) and then use 'auth.authorize()' which provides the JWT (this works locally).  but when I deploy it to firebase the function get a Compute object instead of JWT which doesn't have the default credentials and 'authorize()' method.

Approach 2 - using firebase admin SDK & JWT from auth lib - so I tried to use the JWT lib directly (from 'google-auth-library') which needs the email and key.  Again, locally it worked, I used 'admin.credential.applicationDefault()' to get the 'clientEmail' and 'privateKey' and create 'new JWT' and then the 'authorize()' method to get the JWT.  when deploying the function the 'admin.credential.applicationDefault()' doesn't provide the credentials and it doesn't work.

Approach 3 - using admin SDK custom token - I also tried to use firebase admin SDK to create a custom token ('admin.auth().createCustomToken') and provide also the 'additionalClaims' but with this JWT i can't access IaP, probably because the admin SDK has a const scope of 'google.identity.identitytoolkit.v1.IdentityToolkit' and I need to create token with 'target_audience'.

First, as a general comment, the inconsistency between serving functions locally and deploying it makes it very hard to understand and debug.

I guess that if I'll deploy my credentials.json file with the function it will work but it seems like not the best practice and I don't know if it's secured.  Obviously the function has access to these credentials I just can't find a way to get it.

Can anyone provide a solution to the above problems or suggest a different approach which will work?

I'm stuck on this for hours, please help!

Thanks.

[Hiranya Jayathilaka]

Hi Guy,

I'm not familiar with IaP, but based on the code samples in the webpage you've linked, I can suggest a couple of approaches that may work:

1. Initialize the Admin SDK with an explicit service account (admin.credentials.cert). Then credential.getCertificate().privateKey should provide you with a key that can be used to sign tokens.

2. Create a custom token as you've suggested above. Then exchange the custom token for an ID token. You will need the firebase client SDK for this. The returned ID token will contain any custom claims you specified when minting the custom token.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/103a8aac-98d9-4461-b310-fd4e3bad6441%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128