Google Cloud Run end-user authentication
It looks like Identity Aware Proxy (IAP) is now available (as a preview) for Cloud Run...
- https://cloud.google.com/iap/docs/enabling-cloud-run
And if you want to tweak things there is a sample that shows how to customize the sign in page here:
- https://cloud.google.com/iap/docs/cloud-run-sign-in
Note: I haven't tried any of this yet (but looking forward to it as an upcoming weekend project)!
Run PM here,
Yes, right now you're required to host your own OAuth client, e.g.:
<html>
<head>
<title>Google Sign-in + Run</title>
<script src="https://apis.google.com/js/platform.js"></script>
<script type='text/javascript' src='https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js'></script>
<meta name="google-signin-client_id" content="{OAUTH_CLIENT_ID}">
</head>
<body>
<div class="g-signin2" data-onsuccess="onSignIn"></div></br>
<div>
<div id="returned-text"></div></br>
<button id="test">Test</button>
</div>
<script>
var id_token;
function onSignIn(googleUser) {
id_token = googleUser.getAuthResponse().id_token;
}
$(document).ready(function() {
$('#test').on('click', function () {
var serviceURL = 'https://...';
var xhr = new XMLHttpRequest();
xhr.open('GET', functionURL);
xhr.setRequestHeader('Authorization', 'bearer ' + id_token);
xhr.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
$('#returned-text').text(xhr.responseText);
}
};
xhr.send();
});
});
</script>
</body>
</html>
Note that CORS will be wonky here, and we recommend hosting on the same origin to get rid of this (e.g. use the Firebase Hosting integration).
In the future, it's likely we'll offer IAP (which hosts an OAuth client for you).
Inspired by @mike's approach I created a Cloud Run hosted version of an Identity Aware Proxy in a Terraform config.
https://futurice.com/blog/identity-aware-proxy-for-google-cloud-run