I'm trying to set up GCP Api Gateway for my Cloud Run hosted containers but I' getting some errors regarding Firebase Authentication.
In the api spec, I copied what is published in the api gateway guide
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/{{ project_id }}"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
x-google-audiences: "{{ project_id }}"
and added the security entry in the endpoints path
security:
- firebase: []
When I make a request through the Api Gateway, some additional headers are added to the request that is proxied to the Cloud Run service, such as x-apigateway-api-userinfo, x-forwarded-authorization and authorization
Then, in the Cloud Run service, I have to use Firebase Admin sdk to verify the token passed and identify the user who is making the request. That's where the problem begins, when I try verifying any of this header's token, I get an error: "FirebaseAuthError: Decoding Firebase ID token failed. Make sure you passed the entire string JWT which represents an ID token."
Am I doing anything wrong? How can I decode the auth token passed to the Api Gateway?
Checking the validity of the token is already done by the API Gateway.
x-apigateway-api-userinfo is not the JWT, it's a base64 encoded json containing the users information. Decode it and you should be golden.