OAuth2.0, Cloud IAP and Firebase Authentication

Generally it’s best to use a service account authentication to a GCP API.

Use OAuth2.0 to access resources on behalf of a user

Use cases

  • your app needs access to BigQuery datasets that belong to users
  • your app needs to authenticate as a user to create projects on their behalf
  1. Your app will request access to the resources.
  2. The user will be prompted for consent
  3. If consent is provided, the app can request credentials from an authorization server.
  4. The app can then use those credentials to access resources on behalf of the user

Cloud IAP (Identity-Aware Proxy)

It controls access to your cloud apps running on GCP.
It verifies a user’s identity and determines whether that user should be allowed to access the application.

IAP allows you to establish a central authorization layer for apps accessed by HTTPS.
It lets you adopt an application level access control model instead of relying on network level firewalls.

Apps and resources protected by IAP can only be accessed through the proxy by users in groups with the correct Cloud IAM Role.

When you grant a user access to an app or resource by IAP, they’re subject to fine-grained access controls implemented by the product in use without requiring a VPN.

Preacutions when using Cloud IAP

Configure your firewall and load balancer to protect against traffic that doesn’t come from the serving infrastructure.

Use signed headers or the App Engine standard environment Users API.

Firebase SDK user’s authentication

Firebase authentication is Google’s federated authentication supporting end users sign-in at the Client App using third-party credentials. For example from Google or Facebook.

To get a user signed to your app

  1. Get authenticated credentials from the user (email & pwd or an OAuth token)
  2. Pass the credentials to the Firebase Authentication SDK
  3. Firebase backend services verify credentials and return a response to the client
  4. After a succesful sign-in you can
    • access the user’s basic profile
    • control the user’s access to data stored
    • use the provided authentication token to verify the identity of users in your own backend services

Authentication except for phone authentication is free.