Accessing secured Google Cloud functions from the browser

Making HTTP requests from browser extensions to Cloud functions requiring authentication

HTTP cloud functions are short-lived, they cannot maintain long-lasting cookie-based sessions. Instead, it is possible to re-identify callers in each request using the ID token from the Authorization request header. And depending on the user’s identity, perform an action e.g. call another service or simply save the user ID as a property of the received data.

When a function functionality anyway depends on ID tokens, it might be a good idea to secure the function so that it can be accessed only by selected users or by the users having a valid ID token. It is matter of several clicks in the convenient interface of the Cloud Run service containing the function.

Cloud functions requiring authentication

Google Run service authenticates users using the ID token received in the Authorization request header. If the caller turns out be not authorized, the request get rejected before reaching the cloud function.

To become authorized, the user has to be assigned the Cloud Run Invoker role in the Google Run settings. To make my sample function accessible to all Google users, I granted…