Google Cloud Run OAuth2 Authentication with PKCE

会有一股神秘感。 提交于 2020-04-18 06:13:57

问题


I need to authenticate a service account (with container invoke role) in Cloud Run with PKCE. Basically my iOS app sends HTTPS requests to invoke certain Cloud Run Container (with Django Rest Framework).

I found this example (which authenticates to the Cloud Run endpoint via self-signed JWT in exchange for token). This is exactly what I need, but I want to add PKCE. I'm confused as to where do I send code_verifier and code_challenge? If I do the verification in my container, how would that link to Cloud Run authorization.


回答1:


The (bad) solution is to generate a service account key file and to embed it in your iOS app; But, as mentioned by John, if you do this, you lost the control of your key because your mobile isn't safe. Instead of doing this, make your service public!!

The good pattern is to not let your user directly call your private and secure service, but to have a public gateway that perform the user security check. Thereby, you will use the OAuth flow of your user to authenticate it on a backend, and this backend will be able to call your service, with the right service account.

You can do it by yourself, but the good alternative is to use an API Gateway, like Cloud Endpoint on GCP. You can plug firebase authentication on it. Your overhead is minimal, and your security improved! I wrote and article in relation with this (it's about API Keys, but replace the API Key security definition by the firebase auth security definition, and enjoy!)




回答2:


Google OAuth does not implement PKCE.

PKCE is part of the Authorization Code Flow. Service accounts do not use this Flow.

Authorization Code Flow is not part of Google service account authorization, as both sides are considered trusted. A mobile device is not a trusted device, therefore do NOT store service accounts on mobile devices.



来源:https://stackoverflow.com/questions/61040860/google-cloud-run-oauth2-authentication-with-pkce

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!