If your application handles requests from users, it's a best practice torestrict access to only the allowed users.Users do not typically have IAM permission on your Google Cloudproject or Cloud Run service.

We distinguish two types of users:

• End users: Users of your application who do notnecessarily belong to your organization. They typically need to registeran account for themselves.
• Internal users: Users who are explicitly granted access toyour application by an administrator in your organization. They typically belongto your organization.

If you want to authenticate users using email/password, phone number, socialproviders like Google, Facebook or GitHub, or a custom authentication mechanism,you can useIdentity Platform.UsingFirebase Authentication is similar to using Identity Platform.

You need a public web or mobile app that handles the sign-in flow and then makesauthenticated API calls to a Cloud Run service.This public web app can itself be hosted on apublic Cloud Runservice.

For a complete tutorial on using Identity Platform for end user authentication, refer totheEnd user authentication for Cloud Runtutorial.

1. Add code to your Cloud Run service toverify ID tokens.

2. Deploy your Cloud Run service publicly.

3. Set up Identity Platform in your project

4. Do the following in your web or mobile app:

   1. Use the appropriate Firebase Auth client library to get an ID token:
      • Android: Use theGetTokenResult().getToken() method.
      • iOS: Use theUser.getIDTokenResult(completion:) method.
      • Web: Use thefirebase.User.getIdToken() method.
   2. Include the ID token in anAuthorization: BearerID_TOKEN header in therequest to the service.

You can use any of the following methods to access user profile information:

• Use the Firebase Admin SDK to make a network request toretrieve user data.
• Use aGoogle API Client Library to retrieve user data using the method best suited for your chosen runtime.

For an end-to-end walkthrough of an application using this authentication technique,follow theend user authentication for Cloud Run tutorial.

Authenticating internal users

For internal user authentication, useIdentity-Aware Proxy.

To set up Identity-Aware Proxy for a Cloud Run service, seeConfigure Identity-Aware Proxy for Cloud Run.

For preflightedCross-Origin Resource Sharing (CORS)requests with authenticated Cloud Run services, we recommend that youConfigure IAP for Cloud Runinstead of using IAM authentication. This lets you configureIAP toallow unauthenticated OPTIONS requests,which satisfies the browser's preflight check while ensuring that all otherrequests are authenticated.

Even when IAP allows the OPTIONS request, the application codeyou deploy to Cloud Run must still handle the CORS preflightrequest and the actual request that follows by sending the appropriate CORSheaders.

To learn how to authenticate users or service accounts to an Identity-Aware Proxy-securedCloud Run service using OAuth 2.0, refer to the documentation forProgrammatic authentication.