Search code examples
laravelopenapigoogle-api-gateway

Google API Gateway: Authorization Header not forwarded

I have a Google Cloud API gateway deployed to send requests to a cloud run service.

The cloud run service hosts a laravel docker container image and to authenticate with my authenticated pages, I need to send an Authorization header (Authorization: Bearer my-user-token-here).

When I send the request directly to the cloud run service, I am able to get the response I need with the Authorization header set. But, when I send the request through the api gateway, I always get an unauthenticated message showing the header is missing in the api request to the cloud run. I am not sure of this though.

I can't find any useful documentation on google cloud api gateway to suggest whether cloud run drops the header.

I am also not sure whether the error is from the openapi.yaml. So far I realized I cannot use the v3 of the openapi documentation but rather v2 as api gateway does not support v2. In the v2 of the openapi docs, the securityDefinitions don't support Authorization header Bearer token but instead supports Authorization header basic.

My Openapi yaml

# openapi2-run.yaml
swagger: "2.0"
info:
  title: my-api
  description: my custom api
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
consumes:
  - application/json
x-google-backend:
  address: https://some-cloud-run-url
basePath: /api
host: my-api.nw.gateway.dev
x-google-endpoints:
  - name: "my-api.nw.gateway.dev"
    allowCors: True
paths:
  /user:
    get:
      summary: Requested user details.
      operationId: UserDetails
      responses:
        "200":
          description: Return Requested User Details.
          schema:
            type: string
        "default":
          description: Unexpected error

The surprising fact is that if I send the request either locally or directly to the cloud run, it works and I get no authentication error, but when I use the api-gateway, then I get the error. So I am guessing it has to do with the header going missing when the request reaches the cloud run, probably because the yaml definition I have here does not have an authorization header.

Solution

  • We have an API gateway instance which sends requests to cloud functions.

    If any incoming requests have an Authorization header, the gateway maps the header details into an X-Forwarded-Authorization header in the request to the cloud function.

    I assume it's the same for requests to Cloud Run. I don't have any experience with Laravel to know if it has options to look in the forwarded header, though.