google-cloud-platformfirebase-authenticationgoogle-cloud-functionsgoogle-cloud-api-gateway

API Key Authentication stops working when Firebase Authentication is added in Swagger (OpenAPI 2.0) for GCP Cloud Functions


I'm working with a Swagger 2.0 (OpenAPI 2.0) specification for my Google Cloud Function API, and I am facing an issue with the authentication part of the configuration. I have initially set up API key authentication and it was working perfectly fine. However, after adding Firebase Authentication, my API key authentication stops working and now only works for JWT from firebase.

Here is my openapi2-functions.yaml file:

swagger: "2.0"
info:
  title: <Title>
  description: <Desc>
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
security:
  - api_key: []
  - firebase: []
paths:
  /:
    get:
      summary: Info about the API-status
      operationId: app
      x-google-backend:
        address: https://<REGION>-<PROJECT_ID>.cloudfunctions.net/app
      responses:
        "200":
          description: A successful response
          schema:
            type: string
securityDefinitions:
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/<PROJECT_ID>"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
    x-google-audiences: "<PROJECT_ID>"

I want the API to authenticate using either the API key or Firebase Auth, not necessarily both.

But after adding Firebase, the API key authentication does not seem to work. Any requests that use only the API key for authentication are denied access with the response:

{"code":401,"message":"Jwt is missing"}

Is there anyone that have run in to the same problem, or have any idea how i can solve it?

I have tried to deploy it with security attached to only the endpoint, with one of the security schemas at a time, and they seem to be working seperatly but not togheter.


Solution

  • Found in the docs: Google Cloud Functions does not support logical operators like "OR" only "AND" in security requirements. (as today, see progress on this issue tracker) when using OpenAPI 2.0.

    When it comes to securing Cloud Functions with multiple security definitions with OR i choose to create two gateways using the same schema. This allowed us to have the same logic for both endpoints, using API-keys to auth for one endpoint and Firebase auth for the other, with the major drawback that we will have two endpoints.

    If someone finds a solution to bypass this to make it into one endpoint, please update this thread.