Reputation: 13484
How to set up custom user authentication with Google Cloud Endpoints
I am trying to understand how to use Cloud Endpoints with custom authentication. From the docs I understand that it starts from the securityDefinitions:
securityDefinitions:
your_custom_auth_id:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# The value below should be unique
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
# Optional. Replace YOUR-CLIENT-ID with your client ID
x-google-audiences: "YOUR-CLIENT-ID"
This is how I understand the flow:
- API consumer sends a request with a JWT token in the header
- ESP validates this token using the
authorizationUrl - The request is forwarded or ESP returns an error.
My questions:
- Is the flow above correct?
How should the
authorizationUrlbe implemented. How does the request look, what response should be return in case of success or failureWhat about this values? x-google-issuer: "issuer of the token" x-google-jwks_uri: "url to the public key" x-google-audiences: "YOUR-CLIENT-ID"
Upvotes: 5
Views: 2798
Answers (1)
Reputation: 115
Configuring Custom Authentication for Endpoints
To configure custom authentication for Endpoints (and according to the OpenAPI v2 spec), you need two pieces:
- Define your custom authentication scheme in the
securityDefinitionssection of the spec - Apply your custom authentication scheme (defined in #1) to the entire api or to specific operations using the
securityfield.
The Google Cloud Endpoints docs describe this here.
OpenAPI Spec's SecurityDefinitions
Some fields in the SecurityDefinitions section of the OpenAPI spec are for the API producer, and some are for the API consumer.
The following fields are for the API producer and tell Endpoints how to validate the access tokens that accompany API requests:
- type: "oauth2"
- x-google-issuer: "issuer of the token"
- x-google-jwks_uri: "url to the public key"
- x-google-audiences: "YOUR-CLIENT-ID"
These fields are specified by the API producer and tell the consumer how to get a valid access token:
- authorizationUrl
- flow
Re:Your Questions
- Correct. Here is documentation on how the consumer should send the access token with the request
- ESP validates the access token using the public keys specified in the
x-google-jwks_uriproperty of the spec and ensures that the issuer of the token matches the issuer specified in the securityDefinition'sx-google-issuerfield. - Correct.
Regarding your questions, the authorizationUrl should be set up by the OAuth2 provider you are using. That url should allow the consumer to execute the implicit OAuth2 flow to get an access token. All you need to do is specify this
Upvotes: 2
Related Questions
- Authorization in Google Cloud Endpoints for external clients
- Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)
- Custom Authentication for Google Cloud Endpoints (instead of OAuth2)
- Java - Google Cloud Endpoints custom authentication with sessions
- Appengine Custom Authentication
- Google App Engine: Endpoints authentication when custom auth or Open ID is used
- Using Auth with Endpoints
- Endpoints API with authentication
- How to add authentication to google cloud endpoints?
- Endpoints User Authentication