Google API Gateway: Authorization Header not forwarded

Question

I have a google cloud api gateway deployed to send requests to a cloud run service.

The cloud run service hosts a laravel docker container image and to authenticate with my authenticated pages, I need to send an Authorization header (Authorization: Bearer my-user-token-here).

When I send the request directly to the cloud run service, I am able to get the response I need with the Authorization header set. But, when I send the request through the api gateway, I always get an unauthenticated message showing the header is missing in the api request to the cloud run. I am not sure of this though.

I can't find any useful documentation on google cloud api gateway to suggest whether cloud run drops the header.

I am also not sure whether the error is from the openapi.yaml. So far I realized I cannot use the v3 of the openapi documentation but rather v2 as api gateway does not support v2. In the v2 of the openapi docs, the securityDefinitions don't support Authorization header Bearer token but instead supports Authorization header basic.

My Openapi yaml

# openapi2-run.yaml
swagger: "2.0"
info:
  title: my-api
  description: my custom api
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
consumes:
  - application/json
x-google-backend:
  address: https://some-cloud-run-url
basePath: /api
host: my-api.nw.gateway.dev
x-google-endpoints:
  - name: "my-api.nw.gateway.dev"
    allowCors: True
paths:
  /user:
    get:
      summary: Requested user details.
      operationId: UserDetails
      responses:
        "200":
          description: Return Requested User Details.
          schema:
            type: string
        "default":
          description: Unexpected error

The surprising fact is that if I send the request either locally or directly to the cloud run, it works and I get no authentication error, but when I use the api-gateway, then I get the error. So I am guessing it has to do with the header going missing when the request reaches the cloud run, probably because the yaml definition I have here does not have an authorization header.

Answer 1

We have an API gateway instance which sends requests to cloud functions.

If any incoming requests have an Authorization header, the gateway maps the header details into an X-Forwarded-Authorization header in the request to the cloud function.

I assume it's the same for requests to Cloud Run. I don't have any experience with Laravel to know if it has options to look in the forwarded header, though.

Answer 2

Actually you can ignore it by setting the disable_auth in x-google-backend.

The document is not in google gateway, but in google endpoint as follow. https://cloud.google.com/endpoints/docs/openapi/openapi-extensions

By the document it said:

When configuring your target backend, you may not want to use IAP or IAM to authenticate requests from ESPv2 if either of these conditions apply:

The backend should allow unauthenticated invocations.

The backend requires the original Authorization header from the API client and cannot use X-Forwarded-Authorization (described in the jwt_audience section).

So in your particular case, you just need to modify a single block like this:

x-google-backend:address: 
  https://some-cloud-run-url
  disable_auth: True

And it will work like a charm.

Beware that once you decide to do the authorization yourself, you cannot set the securityDefinitions in the gateway config. The gcp gateway will throw 401 if you do this.