I have a Google VM running my dockerized application and i also have my Firebase front end application.
I want my Firebase application to trigger my microservice. The thing is, i want to be security conscious and i want the Firebase app to be the only actor who can trigger the microservice.
What is the best option for such a task? The only thing i have found are json web tokens (jwts). Is this good enough for the job? Is there something better?
If jwts are what is needed, then what is the logic that the code should have? Should the server create a key and send it to the microservice, then the microservice should decode it and only if it matches a value it should proceed with the job?
firebaser here
The new Firebase App Check feature was made for this sort of thing, but how to access such app tokens from your own server-side code isn't decided yet.
So App Check currently allows specific Firebase services to only allow traffic from apps that are registered in the project. You are looking for the other side of that: only allow traffic from those apps to your services, which is not supported yet.
Also see https://groups.google.com/g/firebase-talk/c/rU0fEozdMyc/m/AYUa6PpLCAAJ