为什么从Firebase身份验证传递ID令牌时，此经过CORS身份验证的Google Cloud Function为什么返回403? [英] Why is this CORS authenticated Google Cloud Function returning a 403 when passing an id token from Firebase authentication?

问题描述

我已经从 Google云功能教程中部署了此功能.一个>到我的谷歌云项目.

I've deployed this exact function from the google cloud function tutorial to my google cloud project.

在客户端，使用firebase signInWithPopup身份验证对最终用户进行身份验证. id令牌是通过user.getIdToken().then(token => { ... // ... }从生成的用户获取的.

On the client side an end user is authenticated using the firebase signInWithPopup authentication. The id token is taken from the resulting user via user.getIdToken().then(token => { ... // ... }.

然后通过有角度的httpclient调用对端点进行调用:

A call to the endpoint is then made via an angular httpclient call:

const url = 'https://[MY-PROJECT-SUBDOMAIN].cloudfunctions.net/hello_get/';
this.auth.user.getIdToken().then(token => {
    const httpOptions = {
        headers: new HttpHeaders({
            'Authorization': `Bearer ${token}`
        })
    };
    this.http.get(url, httpOptions).subscribe(response => {
        console.log(response);
    }, error => {
        console.error(error);
    });
});

响应是对OPTIONS飞行前请求的403，这使我认为Google拒绝了我的ID令牌.我在hello_get函数中添加了函数日志.似乎该函数甚至没有被调用，因为返回403响应时此日志永远不会出现.

The response is a 403 to the OPTIONS preflight request which makes me think Google is rejecting my ID token. I've added a function log in my hello_get function. It appears the function doesn't even get called because this log is never appearing when the 403 response is returned.

当"Cloud Functions Invoker"的功能权限设置为allUsers时，Cloud函数可以通过CORS正常工作，但是一旦我删除该权限并为allAuthenticatedUsers添加权限，并尝试在其中传递带有Access-Control-Allow-Credentials': 'true'的令牌，云功能，则返回403.

The cloud function works fine via CORS when the function permissions for 'Cloud Functions Invoker' are set to allUsers, but as soon as I delete that permission and add permissions for allAuthenticatedUsers, and try to pass a token with Access-Control-Allow-Credentials': 'true' in the cloud function, a 403 is returned.

所以-看来根本原因是Google拒绝了印前检查OPTIONS请求.在这种情况下，建议通过经过身份验证的Firebase用户调用经过身份验证的Google Cloud函数的方法是什么?

So - it seems like the root cause is google rejecting the preflight OPTIONS request. If this is the case, what is the recommended way to call an authenticated google cloud function with an authenticated firebase user?

注意:我在这里使用的是google cloud函数而不是firebase函数，因为我们需要使用在firebase函数中不可用的python3运行时.

Note: I'm using google cloud functions instead of firebase functions here because we need to use the python3 runtime which is not available in firebase functions.

推荐答案

在将Firebase身份验证与Google Cloud功能一起使用时，不会通过IAM角色对用户进行身份验证.而是在功能本身内对它们进行身份验证.请注意，根据Google的文档，由于该功能必须有效地验证令牌，因此您需要为未经身份验证的请求付费".要进行设置:

When using Firebase Authentication with Google Cloud functions, users are not authenticated via IAM roles. Instead, they are authenticated within the function itself. Note, per Google's docs, "you will be billed for unauthenticated requests since the function must do work to validate the token." To set this up:

(1)需要向allUsers(而不是我拥有的allAuthenticatedUsers)开放该功能上的"Cloud Functions Invoker"的IAM权限.

(1) The IAM permissions for "Cloud Functions Invoker" on the function need to be opened up to allUsers (as opposed to allAuthenticatedUsers which I had).

(2)然后使用firebase_admin的身份验证库手动完成令牌验证，(

(2) The token verification is then done manually using firebase_admin's auth library, (docs, for reference & other languages) like so:

from firebase_admin import auth

def your_function(request):
    decoded_token = auth.verify_id_token(id_token)
    uid = decoded_token['uid']

感谢Juancki向我指出了正确的方向.

Thanks to Juancki for pointing me in the right direction.

这篇关于为什么从Firebase身份验证传递ID令牌时，此经过CORS身份验证的Google Cloud Function为什么返回403?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！