My project requires HIPAA compliance, so I chose Auth0 as it is HIPAA compliant for authentication.
The backend is firebase and their auth is not HIPAA compliant, however database and storage are.
I managed to use Auth0 JWT to create firebase custom tokens then I send back to the client so they login with firebase custom token.
It is working perfectly on localhost endpoint.
Once, I deploy the endpoint as google cloud function(HTTP triggered function), I am having 401 error, unauthorized.
This error only happens when I use authenticated user option, however, once I make the function public (Unauthenticated allowed), it works flawlessly.
Here is my question:
Is the cloud function (API) inherently protected by the fact I am using the middleware
(express-oauth2-jwt-bearer) to verify the tokens?
If protected then I keep the cloud function url public so everything works fine.
If this is not the best practice, then how to get google cloud to accept my Auth0 JWT to trigger the function?
I did use API gateway Authentication Auth0 protocol based on google documentation, but no luck.
May be I am missing something.