To achieve this, you have 2 solutions:
- Check by yourselves the token in a unauthenticated Cloud Run services. There is a recent and great Google Cloud post on this. Personally I don’t like this solution because if there is an attack, it’s up to your service to manage this high traffic, and you to pay!
- Use a proxy. The (old) Cloud Endpoint can achieve this, and I wrote an article on this 1 year ago (with API Keys security definition, but change it with Firebase Auth security definition and use it!). It’s quite old because a fresh new service has been release this summer, named API Gateway which is, today, a Cloud Endpoint fully manage by Google (today the features are the same, but API Gateway will evolve; not sure about Cloud Endpoint!)
CLICK HERE to find out more related problems solutions.