Search code examples
pythongoogle-cloud-platformgoogle-cloud-rungoogle-cloud-tasks

Cloud Tasks masks Bearer Token (To a Public Cloud Run)

I have a public Cloud Run, authenticated by JWT Token. Working 100%. The logic inside the Cloud Run to decode the token is in python:

def decode_jwt(token: str) -> dict:
    try:
        decoded_token = jwt.decode(
            token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
        return decoded_token if decoded_token["expires"] >= time.time() else None
    except Exception as e:
        raise InvalidTokenError

The Cloud Run is publicly available using a custom domain.

Now, I want to do some requests to the Cloud Run, using Cloud Tasks (each request have different parameters, created previously by a Cloud Functions). In the Cloud Tasks, I create each task with a "Bearer {token}" parameter

Cloud Task Headers Code:

task["http_request"]["headers"] = \
                {"Authorization": f"Bearer {token}",
                 "Accept": "application/json"}

First situation:

When I create the task without the "oidc_token" parameter in the http_request creation. Cloud Run returns "403 Forbidden", and never reach the decode_jwt function inside cloud run. Cloud Task http_request Code:

task = {
        "http_request": {  
            "http_method": tasks_v2.HttpMethod.POST,
            "url": url,  
          }
       }

Second situation: I add an "oidc_token".

task = {
        "http_request": {  
            "http_method": tasks_v2.HttpMethod.POST,
            "url": url,  
            "oidc_token": {
                "service_account_email": "service-task@xxxxx.iam.gserviceaccount.com",
           }
       }

Now, the request reach the Cloud Run decode_jwt function, and the log in Cloud Run returns "InvalidTokenError". Extra: I added a logging.info to expose the token received in Cloud Run, and is not the token I passed in the Cloud Task Creation.

Solution

  • Problem Summary:

    1. you have a public (allUsers) Cloud Run service.
    2. you have created your own authorization mechanism (HS256 - HMAC with SHA-256).
    3. you want to assign a custom token for the HTTP Authorization Bearer value.
    4. Cloud Run authorization is managed by IAP.

    Authorization for the Cloud Run service is managed by the Identity Aware Proxy (IAP). If you add an HTTP Authorization Bearer token, IAP will verify that token. That step fails for your custom token which results in an HTTP 403 Forbidden error.

    Cloud Tasks supports two types of HTTP Authorization Bearer tokens. OAuth Access tokens and OIDC Identity tokens. You cannot use your own token value to replace the supported types.

    That leaves you with two options:

    1. Enhance your code to support Google signed OIDC Identity Tokens.
    2. Use a custom HTTP header that supports your custom token format.

    Note: I do not recommend using HS256. HS256 is a symmetric algorithm which means the secret must be known to both sides in order to validate the payload. RS256 is an asymmetric algorithm which uses private/public key pairs. To verify only requires the public key. This is one of the strong design features of Google's use of private keys for service accounts and identities. If you switch to Google's method, all of the hard work is done for you.