I'm using Google API Gateway to in my Firebase app to verify if a user is signed-in. In API Gateway's documentation here, it recommends to use the forwarded X-Apigateway-Api-Userinfo header to retrieve user info:
API Gateway will send the authentication result in the X-Apigateway-Api-Userinfo to the backend API. It is recommended to use this header instead of the original Authorization header. This header is base64url encoded and contains the JWT payload.
Because it is base64url-encoded, I need extra server-side logic to decode this, just to get the logged-in user's info (I assume the decoded object corresponds to Firebase Auth Admin SDK's DecodedIdToken)).
On the other hand, I found that although API Gateway modifies the original Authorization header, it first copies it to another header named X-Forwarded-Authorization. This means I could do something like:
// authHeaders = 'Bearer ...'
const authHeaders = headers['X-Forwarded-Authorization'];
const token = authHeaders.split(' ')[1]
const decodedToken = await admin.auth().verifyIdToken(token)
which I find is an easier (and better-documented) way to get the same information. Is this a bad idea? I'm not sure if there are other reasons that the X-Apigateway-Api-Userinfo headers are recommended instead.
The API gateway header X-Apigateway-Api-Userinfo works the same as Cloud Endpoints X-Endpoint-API-UserInfo, which verified the JWT signature for you and store only JWT payload you can trust.
If you want to do authentication again or by yourself, you can read the X-Forwaded-Authorization and finally decode into a JWT payload. This only makes sense if you want to double check requests to your HTTP headler functions with fake X-Apigateway-Api-Userinfo that bypassing these API gateway services. You can use IAM to protect your functions.
To conclude,
X-Apigateway-Api-UserinfoReference:
ESPv2 not forwarding original Authorization header when an x-google-backend is specified