CORS with End-user Authentication on Cloud Run / GCR

[Derek Seymour]

Hi all,

I have a Google Cloud Run service running without anonymous access (Authentication set to Authenticated under service details).  On my container, I have CORS configured with the appropriate Access-Control-Allow-Origin header defined on all responses.

In a web app under Chrome, I'm attempting to authenticate a user via Firebase, get an ID token, and then make authenticated calls to the GCR service:

firebase.auth().currentUser.getIdToken().then(function(idToken) {
    let req = new XMLHttpRequest();
    req.open('GET', 'https://<GCR Service URL>/example-path', false);
    req.setRequestHeader('Authorization', 'Bearer ' + idToken);
    req.addEventListener("load", function () {
        console.log('request_status load', this.responseText);
    });
    req.send(null);
});

Everything appears to work in the browser up until the preflight request goes out.  It appears GCR is expecting the Authorization header (as mentioned under https://cloud.google.com/run/docs/securing/authenticating#end-users) on an OPTIONS request (see below).  From my research, it appears that adding custom headers to a preflight request isn't possible within a browser.

GCR log

OPTIONS 403 0 B 0 ms Chrome 73  /example-path

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating

Console errors

OPTIONS https://<GCR Service URL>/example-path 403

Access to XMLHttpRequest at 'https://<GCR Service URL>/example-path' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Uncaught DOMException: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://<GCR Service URL>/example-path'.

Other than changing the service to allow unauthenticated end-user requests (which is a last resort), how can I get past the OPTIONS call to GCR requiring an authorization token?

Thanks!

 - Derek

[Aref Amiri (Cloud Platform Support)]

Hi Derek,

Currently it is not possible to use Cloud Run with Authentication supporting CORS, and as you’ve experienced in your project, the preflight OPTIONS request will always be rejected with status 403.

The Feature Request has already been reported to Google Cloud Run engineering team and they are currently reviewing the request for possible implementation in the future. I cannot provide an ETA or guarantee of implementation, however, you can follow the Public Issue Tracker page that we have created, as any future updates will be shared there.

[Nat]

Any updates on this?

[Md Sadik Masoud]

Hi, 

There is no update as of now and any latest update about this issue will be posted in this link[1]. Please "star" the issue [1] from your side so that you can receive comments and status updates as soon as there is any progress.

 

[1] https://issuetracker.google.com/132105362