API Key Authentication stops working when Firebase Authentication is added in Swagger (OpenAPI 2.0) for GCP Cloud Functions

Question

I'm working with a Swagger 2.0 (OpenAPI 2.0) specification for my Google Cloud Function API, and I am facing an issue with the authentication part of the configuration. I have initially set up API key authentication and it was working perfectly fine. However, after adding Firebase Authentication, my API key authentication stops working and now only works for JWT from firebase.

Here is my openapi2-functions.yaml file:

swagger: "2.0"
info:
  title: <Title>
  description: <Desc>
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
security:
  - api_key: []
  - firebase: []
paths:
  /:
    get:
      summary: Info about the API-status
      operationId: app
      x-google-backend:
        address: https://<REGION>-<PROJECT_ID>.cloudfunctions.net/app
      responses:
        "200":
          description: A successful response
          schema:
            type: string
securityDefinitions:
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/<PROJECT_ID>"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
    x-google-audiences: "<PROJECT_ID>"

I want the API to authenticate using either the API key or Firebase Auth, not necessarily both.

But after adding Firebase, the API key authentication does not seem to work. Any requests that use only the API key for authentication are denied access with the response:

{"code":401,"message":"Jwt is missing"}

Is there anyone that have run in to the same problem, or have any idea how i can solve it?

I have tried to deploy it with security attached to only the endpoint, with one of the security schemas at a time, and they seem to be working seperatly but not togheter.

Answer 1

I found this similar documentation that uses Google Cloud Functions with API Gateway and Firebase Auth to it.

Please be advised that:

1. Make sure that billing is enabled.

2. Enable the required service APIs:

   gcloud services enable apigateway.googleapis.com
   gcloud services enable servicemanagement.googleapis.com
   gcloud services enable servicecontrol.googleapis.com
   gcloud services enable cloudbuild.googleapis.com
   gcloud services enable cloudfunctions.googleapis.com
   gcloud services enable apigateway.googleapis.com
   

3. Create and deploy the Cloud Function

4. Create Service Account for API Gateway

5. Add Cloud Function invoker role (roles/cloudfunctions.invoker) to the service account

You need to add /hello_get: under paths: as API Gateway doesn't support CORS (Cross-Origin Resource Sharing) and is needed to be added to every path.

paths:
  /hello_get:
    get:
      security: 
        - firebase: []
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: https://GCP_REGION-PROJECT_ID.cloudfunctions.net/hello_get
      responses:
        '200':
          description: A successful response
          schema:
            type: string
    
    options:
      operationId: corsRequest
      x-google-backend:
        address: https://GCP_REGION-PROJECT_ID.cloudfunctions.net/hello_get

In case that the steps above didn't work, you may reach out to Google Cloud Support or report this as an issue with this issue tracker link.

Answer 2

Found in the docs: Google Cloud Functions does not support logical operators like "OR" only "AND" in security requirements. (as today, see progress on this issue tracker) when using OpenAPI 2.0.

When it comes to securing Cloud Functions with multiple security definitions with OR i choose to create two gateways using the same schema. This allowed us to have the same logic for both endpoints, using API-keys to auth for one endpoint and Firebase auth for the other, with the major drawback that we will have two endpoints.

If someone finds a solution to bypass this to make it into one endpoint, please update this thread.