This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Access Token for Cloud Function authorization (from js web frontend)

Posted on 03-28-2022 04:34 AM
giuliohome
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a simple example of javascript calling a (golang) cloud function in my public github repository.

First I started with a trivial hello world with public access.

Then I removed the public access and produced a manual access token and tried that.

The first issue I found was CORS. I resolved that by using a Cloudflare worker.

That having said, now my main question here.

The access token that I'm using now is manually produced in the cloud shell and temporary, as described here under generting token manually

The problem is that the other section "Generating tokens programmatically" doesn't seem ok for a web scenario, I guess it still applies to some special environments where libraries can obtain authentication, so not ok for a classical web app authentication from the frontend (am I correct?).

I can't find a more appropriate authorization flow in the cloud functions documentation, why?

I googled around and I found for example this

https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow

which is the typical oauth2 authorization flow from javascript, exactly what I would have expected,

but it seems written for google apis, is it valid for cloud functions too? Or is there something I am missing?

Thank you!

Solved Solved
1 2 4,057
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
giuliohome
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Ehm, I'm afraid the solution should a bit more elaborated, now I'm reading that cloud functions have identity tokens that are not access tokens

https://stackoverflow.com/a/67213000

I'm confused however, why it is possible to add a workspace principal in the permission tab of the cloud function? I've created a workspace user for my domain but I don't know how to use it... Which is the scenario for the workspace principal authentication?

Possible solution

Anyway, after further research, now I imagine that the correct approach/architecture is to set up a cloud endpoint for the cloud function as said here below

https://cloud.google.com/endpoints/docs/openapi/set-up-cloud-functions-espv2

So, is it the way to go in case of a web app frontend to invoke a backend cloud function?

 

Yes, this is solved, look at my repository for more details for example I've used auth0 authentication and the following openapi-functions.yaml

according to

https://auth0.com/docs/customize/integrations/google-cloud-endpoints

and

https://auth0.com/docs/quickstart/spa/vanillajs/02-calling-an-api#calling-the-api

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
giuliohome
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Ehm, I'm afraid the solution should a bit more elaborated, now I'm reading that cloud functions have identity tokens that are not access tokens

https://stackoverflow.com/a/67213000

I'm confused however, why it is possible to add a workspace principal in the permission tab of the cloud function? I've created a workspace user for my domain but I don't know how to use it... Which is the scenario for the workspace principal authentication?

Possible solution

Anyway, after further research, now I imagine that the correct approach/architecture is to set up a cloud endpoint for the cloud function as said here below

https://cloud.google.com/endpoints/docs/openapi/set-up-cloud-functions-espv2

So, is it the way to go in case of a web app frontend to invoke a backend cloud function?

 

Yes, this is solved, look at my repository for more details for example I've used auth0 authentication and the following openapi-functions.yaml

according to

https://auth0.com/docs/customize/integrations/google-cloud-endpoints

and

https://auth0.com/docs/quickstart/spa/vanillajs/02-calling-an-api#calling-the-api

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
skare
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey how does CORS issue resolved? I am also struggling with this and haven't found anything till now? If so could you please add detailed resolution steps to resolve cors issue in gcf as I am very new to cloud and very much disappointed due to GCF behaviour?

Jump to Solution