How do I give Retool access to a Cloud Functions endpoint that requires authentication?

I have a Cloud Functions endpoint where we handle authentication by checking the Firebase User’s token in the Authorization header of the request. This works fine for users of our app who all have signed in with Firebase auth–we just get the token from the firebase auth info client-side and send it along with the request.

But I want to allow Retool to fetch data from this endpoint as well.

I’ve added Retool as a service account in the Google Cloud Platform console, but is there a way to generate a JWT for the Retool that I can then validate in my Cloud Function?

Hey @blesstech and welcome to the community! If you’re using the REST API connector, you can pass anything through headers. For JWTs we don’t have native support for re-generating tokens automatically (see How to Refresh JWT Token with Custom Auth and JWT Authentication of REST API) so generally Retool users hardcode them into the header of their request. Retool also supports custom auth flows which you might be able to work with. Let me know if this helps!

Hi @blesstech

I'm currently facing the same challenge... Did you manage to figure it out?

@justin custom auth flows doesn't let you define backend javascript code to generate tokens

Hey philippe-boyd-maxa! Thanks for reaching out about this. You are correct that there is no way to do this from the resource setup page. You can however take care of all of this inside an app. I'll attach an export of an app one of my colleagues made for this exact purpose. If you fill out the fields for Private Key, Cloud Function URL, and Service Account Email, with your information it should work for you. Let me know what you think!

1 Like

Hey Joe, could you share the export of the app? I am also trying to authenticate a cloud run end point using jwt tokens and would love to understand how I can do this via an app

Hey srivya, you can download the export of the app in my response above! You can import the GService.json file into your Retool instance and take a look. Hopefully it gives you insight into how you can achieve a similar result for Cloud Run. Let me know if you have any trouble downloading it!

Hey Joe, I do not see any export. I only see the GServiceAccount.json file. Am I missing something?

Hey srivya, that is the exported app! Retool apps are exported as JSON files. You can download that file and then create a new app in your instance by importing that JSON file as shown in the screenshot below.

Ahhh I didn't realize this is what you meant. Thanks lot Joe

I am actually having trouble calling the KJUR module. Would you know how to custom install npm modules?

Actually nvm. It worked. Thanks again Joe

Hi @joeBumbaca, jumping in this thread as I'm evaluating Retool for my company needs. All our data is exposed through a Cloud Endpoint API using IAP, so I'm obliged to authenticate with a Service account.

If we were to use the approach you suggested a few posts earlier to authenticate to all apps built on Retool, would there be a way to programmatically rotate the service account private key in case we would revoke them automatically? Or would we need to do that manually? I'm asking because in case of having multiple apps, that would represent a) manual work (eew) b) possible downtime from the apps while we replace the keys.

Or is there perhaps a better way to arrange this integration?

Hi Marta, unfortunately right now I don't believe that there is a better way to arrange this integration. This happens to be a fairly manual process (eew, I know). You could create a global JS function that would give you access to the new service account key in each app, and would only have to change it in 1 place. But again that would still need to be done manually, when the key switches.

I just want to confirm, this is the only way to work with CloudFunctions? Meaning the Google OAUTH 2 from the Authentication on a Retool Resource won't solve for this?

1 Like

Hey wmoore, this is only an issue if you are trying to use a service account.

Got it, so I am NOT doing a service account; doing a user auth -- it authorizes right and I get the tokens but still doesn't work

I checked permissions in IAM too

Error: Forbidden
Your client does not have permission to get URL

Hey wmoore, this may be more suited to a support ticket. Feel free to write in to us! If you would prefer here, would love to see a screenshot of the resource set up. An image of the error and some information around when you receive it would be great as well. Thanks!

Thanks for your quick answer, @joeBumbaca ! I think that would be a good compromise between a fully manual and fully automated solution. If you know of any way to suggest this feature to the Retool team, please feel free to point me to the right direction! :slight_smile: As GCP is putting so much emphasis on their IAP systems and security, this might be a good add on to Retool.

I have a solution to the problems outlined above. The magic lies within the scopes granted.

Noting: This works specifically for IAP (identity aware proxy) protected services

1 Like