Firebase authentication in endpoints still allows cloud function to be called publicly?

[Jan-Philipp Marks]

Hey community,

Im trying to follow the instructions on https://cloud.google.com/endpoints/docs/openapi/authenticating-users-firebase# in order to secure my cloud functions with a firebase auth token.

All instructions worked without any issues or errors, but my function is still callable publicly.

Here is my yaml file as instructed:

swagger: '2.0'

info:

  title: ***

  description: Sample API on Cloud Endpoints with a Google Cloud Functions backend

  version: 1.0.0

host: ***

schemes:

  - https

produces:

  - application/json

x-google-backend:

  address: https://europe-west1-***.cloudfunctions.net

  path_translation: APPEND_PATH_TO_ADDRESS

  protocol: h2

paths:

  /hello:

    get:

      summary: Greet a user

      operationId: hello

      responses:

        '200':

          description: A successful response

          schema:

            type: string

securityDefinitions:

  firebase:

    authorizationUrl: ""

    flow: "implicit"

    type: "oauth2"

    x-google-issuer: "https://securetoken.google.com/***"

    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/secur...@system.gserviceaccount.com"

    x-google-audiences: "***"

security:

  - firebase: []

What i am expecting to happen:

My function hello can only be invoked through the endpoints proxy when i provide a valid jwt token in the requests "Authorization" header.

What is happening:

My Function can still be called publicly without any token sent.

I simply want to restrict the invocation of this function to a valid jtw token from firebase auth.

The how-to-guide on gcp is not working for me unfortunately :(

Any suggestions?

Thanks a lot

[Teju Nareddy]

This is the architecture you should have:

• ESPv2 on Cloud Run: Publicly accessible, allows anyone to call it. If a request doesn't contain a JWT, request is rejected. Otherwise, ESPv2 will validate the JWT and proxy the request to the backend.
• Backend on Cloud Function. Private, only callable by ESPv2. So all request to your backend will be validated by ESPv2, there is no way any other requests can reach it.

It sounds like you setup ESPv2 correctly, but you left the backend cloud function publicly accessible. You need to use IAM to secure the Cloud Function.

Your current Cloud Function allows "unauthenticated users". You probably followed this section to configure this. You need to do the reverse steps to remove "unauthenticated users".

Then make sure that ESPv2 can invoke your Cloud Function. If you just followed the Cloud Endpoints on Cloud Functions tutorial, it should have all the roles it needs to invoke your Cloud Function. Otherwise, you may need to add the ESPv2 service account as a invoker to the backend cloud function.

One more thing, your OpenAPI spec is a little off. Please read over all of bullet point #3 in this section of the Cloud Endpoints on Cloud Functions tutorial. Notice you place `x-google-backend` a little differently than in the tutorial. I suggest you move `x-google-backend` under the /hello path and append FUNCTIONS_NAME to the `address` field. Otherwise ESPv2 will have problems calling the backend with the correct authentication credential.

[Teju Nareddy]

Sorry, the last link is wrong. Bullet point #3 in this section: https://cloud.google.com/endpoints/docs/openapi/get-started-cloud-functions#endpoints_configure