Can not request firebase function by using Cloud Task

[RTae]

Hi, I have problem requesting a firebase function by using cloud task

this is my code

tasks_client = tasks_v2.CloudTasksClient()

task_queue = tasks_client.queue_path(
                params.PROJECT_ID.value, 
                SupportedRegion.US_CENTRAL1.value,
                DATA_TASK_NAME
            )
    
task = tasks_v2.Task(
            http_request= {
                "http_method": tasks_v2.HttpMethod.POST,
                "url": "https://cloudrune-service-generate-by-cloud-function.a.run.app",
                "headers":{"Content-type": "application/json"},
                "oidc_token": tasks_v2.OidcToken(
                    service_account_email=f"service_account@{settings.PROJECT_NAME}.iam.gserviceaccount.com",
                ),
                "body": json.dumps({"data":{"update_date": data['update_date']}}).encode()
            }
        )

It will raise an error about authentication.

ERROR:root:Error validating token: The Firebase ID token has an incorrect "aud" (audience) claim. Expected "PROJECT_ID" but got "https://cloudrune-service-generate-by-cloud-function.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

WARNING: Root:Callable request verification failed: $[('Auth token was rejected.', {'app': 'MISSING', 'auth': 'INVALID', 'logging.googleapis.com/labels': {'firebase-log-type': 'callable-request-verification'}})]

if I add audience in oidc_token with project ID, it will raise another error

The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401

From my understanding, both error are about authentication from firebase and cloud run

[exaby73]

Hello @RTae. Could you tell me which libraries you're using?

[RTae]

@exaby73 I'm using firebase function to create a cloud task to request another firebase function. Basically, I followed this example but it not working https://firebase.google.com/docs/functions/task-functions?gen=2nd#python

tasks_v2 : https://pypi.org/project/google-cloud-tasks/

[antont]

I also failed to get the auth token biz working similarily, so ended up removing access control from the task queue, to get forward. Our thing is low security anyway, and if needed, I guess I can add an API key to the workers. Would be nice to have proper auth working though ofc.

[kulaone]

I tried to follow this Python example too, with no success.
The task is added to the queue, but when the task invoking the function I get:
"The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client"

[exaby73]

Is it possible to give me an example I could test with?

[antont]

Is it possible to give me an example I could test with?

That basically is it, I also tried to follow it and got into the same trouble. https://firebase.google.com/docs/functions/task-functions?gen=2nd#python

[spartonia]

Any luck here? I also followed the docs but no luck.

[ShadowBearVR]

I am in the same boat. Anyone find a solution to this?

[pr-Mais]

Hello all, for those following the sample here there's a small issue, first change location: str = SupportedRegion.US_CENTRAL1 to location: str = SupportedRegion.US_CENTRAL1.value, the location was sent as a literal locations/supportedregion.us_central1 thus we get the error Location SupportedRegion.US_CENTRAL1 is not found or access is unauthorized. (it really doesn't exist).

@kulaone @antont @spartonia @ShadowBearVR have you followed the instructions here? the error indicates that the service account used doesn't have the role roles/cloudfunctions.invoker.

@RTae you're trying to use a service account other than the ADC right?

[ShadowBearVR]

@pr-Mais I can confirm the required permissions (and extra) were added and I still got the same type of errors.

[pr-Mais]

@ShadowBearVR can you post the exact error message you're getting and if it's the same as the issue author?

[sjudd]

I'm also unable to get this to work. The example doesn't include an auth header or token:

task_queue = tasks_client.queue_path(project_id, REGION.value, <function_name>)
    target_uri = get_function_url(<function_name>)
   body = {}
    task = tasks_v2.Task(
        http_request={
            "http_method": tasks_v2.HttpMethod.POST,
            "url": target_uri,
            "headers": {
                "Content-type": "application/json",
            },
            "body": json.dumps(body).encode(),
        }
    )
    tasks_client.create_task(parent=task_queue, task=task)

This produces an error indicating that an authorization token is required in the function that consumes the queue:

"The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client"

The roles for my default compute service account include cloud run invoker and cloud function invoker:

If you follow https://cloud.google.com/run/docs/authenticating/service-to-service#run-service-to-service-example-python, that suggests that you set the url from your service as the audience and create a bearer token you pass through:

    target_uri = get_function_url(function_name)
    auth_req = google.auth.transport.requests.Request()
    id_token = google.oauth2.id_token.fetch_id_token(auth_req, target_uri)

    task = tasks_v2.Task(
        http_request={
            "http_method": tasks_v2.HttpMethod.POST,
            "url": target_uri,
            "headers": {
                "Content-type": "application/json",
                "Authorization": f"Bearer {id_token}",
            },
            "body": json.dumps(body).encode(),
        }
    )
    tasks_client.create_task(parent=task_queue, task=task)

This produces a different error in the queue consumer:

ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "<project_id>" but got "https://us-central1-<project_id>cloudfunctions.net/<function_name>". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token."

If you change the audience from the function to the firebase project (<project_id>), you get a different error:

textPayload: "The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401"

That certainly looks like the service account doesn't have the required permission, but it does at least have functions invoker and cloud run invoker.

It would be really helpful to have a working example. Based on the very first error, it seems like you must explicitly pass some kind of auth information to tasks_v2.Task, but the example doesn't do so.

Edit: It looks like there are two different auth checks being performed with two different (and maybe incompatible) sets of requirements. The first looks like a standard firebase auth check. The second seems like it's the underlying cloud tasks. The error messages make it look like we're able to satisfy either Firebase or Cloud Tasks checks, but not both.

[sjudd]

And just for fun, I tried creating a task queue using typescript and calling it from python. That works perfectly if you follow the guidance in https://cloud.google.com/run/docs/authenticating/service-to-service#run-service-to-service-example-python:

target_uri = get_function_url(function_name)
auth_req = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(auth_req, target_uri)

task = tasks_v2.Task(
    http_request={
        "http_method": tasks_v2.HttpMethod.POST,
        "url": target_uri,
        "headers": {
            "Content-type": "application/json",
            "Authorization": f"Bearer {id_token}",
        },
        "body": json.dumps(body).encode(),
    }
)
tasks_client.create_task(parent=task_queue, task=task)

If I instead define the queue in python and call it with exactly the same code, I get:

ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "<project_id>" but got "https://<function-name>-NNNN-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token."

This seems problematic? https://github.com/firebase/firebase-functions-python/blob/7f83050dc44f7877a58a590a5aae1006a6f14358/src/firebase_functions/private/util.py#L218C28-L218C43. That's calling a firebase function to validate auth. The only other use of that method I see is for https functions where using Firebase's auth makes more sense because the caller is very likely to be external: https://github.com/search?q=repo%3Afirebase/firebase-functions-python%20_on_call_handler&type=code. It definitely seems like Firebase's auth requirements differ from the Cloud Run Service's auth requirements. Since they both use the same header it's not possible to satisfy both.

A workaround seems to be to enable "Allow unauthenticated invocations" for the service. Firebase might still pass through and validate its own auth token if you do this (I haven't tried to validate that), but you can also pass through a secret or an auth token using the body and manually validate it.

[cons-andreas-kahmann]

I have the same issue. Following the example "https://firebase.google.com/docs/functions/task-functions?gen=2nd", whatever configuration I use, I always get some kind of authentication / authorization error

[jacobg]

I'm having the same issue here. I tried adding an oidc_token to the task http_request. If audience is set to the project, Cloud Run returns 401 with error logged:

The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401

If audience is set to the function url, then the function does seem to get invoked but the Firebase task wrapper fails with this error:

ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "PROJECT-ID" but got "FUNCTION-URL". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.

As a previous poster notes, it seems there are two layers of authentication that conflict with each other.

Can Firebase team please follow up on this issue? Many people here need help. Thanks!

[jacobg]

Since the Cloud Run service is already doing the authentication, it seems we can patch the Firebase SDK inside the function to bypass auth:

import firebase_functions.private.util as firebase_private_util
def _on_call_check_auth_token(*args, **kwargs):
    return None
firebase_private_util._on_call_check_auth_token = _on_call_check_auth_token

Then when enqueing a task, make sure to set the oidc_token in the task's http_request to meet the requirements of Cloud Run:

            "oidc_token": {
                'service_account_email': FUNCTION_IDENTITY,
                'audience': task_http_request_url,
            }

I verified this works.

[pr-Mais]

Thanks, everyone for providing such detailed comments! we were able to reproduce.

@jacobg This might be the issue, we are working on a fix ASAP.

[jacobg]

Thank you @pr-Mais 👍

[exaby73]

This issue should be fixed and will go out in the next release

[AdamGreenAwardMatcher]

Any update for when this will be released?

[GoodluckH]

^ Same question. Wonder if there're any temporary workarounds for this?

[vitoras]

This issue should be fixed and will go out in the next release

Hi @exaby73, any updates on this? When will the next release happen?

^ Same question. Wonder if there're any temporary workarounds for this?

@GoodluckH , the workaround is to define your function as @https_fn.on_request instead of @tasks_fn.on_task_dispatched

[exaby73]

We're planning a release soon. Keep a lookout in the next couple of days

[milanmitrovic]

Any updates? I also have the same issue.

[collbreno]

I had the same issue here. Updating firebase-functions from 0.2.0 to 0.4.1 fixed it!