I am trying to implement Google Cloud Task queues with a HTTP Target. I've used the queues for App Engine but in moving to Cloud Run I wish to use the same queue system. I have implemented the dispatcher code but unlike App Engine I can't trust the headers so I'm aware I need to verify the request using an auth token but I'm struggling to get my head around it? I'm making a lot of assumptions as well. I'm trying to build this in PHP so if possible it would be good to see an example in PHP but even just some Psuedo code of the flow would be useful.
My first assumption is it's best to use OIDC Tokens? based off of:
if you are writing your own code in the targeted service to validate the token, you should use an OIDC token. For more information on what this entails, see OpenID Connect, particularly Validating an ID token.
I've read the linked heading for this but it didn't make much of it clear to me if I'm honest.
Secondly tokens will be in the Authorization header as Bearer <token>?
Thirdly I guess I should use something like the package firebase/php-jwt to decode the token. But how do I decoded it exactly? My service JSON file only has a private key, do I need to grab the public key from the cloud console? Once I do that is there particular parts of the token I need to look at to verify the request? Or should the fact I can decode it into valid JSON be enough?
Everytime I read a bit of documentation on how to do it I think I'm getting closer to the answer but I'm at the point it's taken far longer than I'd like and it's a bit frustrating when Google documentation rarely seems to just point out what I need to do.
for more information about how to create http tasks with authentication tokens for cloud run. Note that the code is given for python, jave, GO, and node.js. But it will give you an idea of the flow.
curl -v -X POST
-H "Authorization: Bearer ${access_token}"
"https://{baseUrl}/userinfo"
https://developer.okta.com/blog/2019/05/07/php-token-authentication-jwt-oauth2-openid-connect