To authenticate users in Google Cloud applications, Google offers the following methods:
|Firebase Authentication||Provides multiple user authentication options including with Google, Facebook, and Twitter. It also supports the largest number of users while maintaining the smallest amount of code.|
|Google Sign-In||Google Sign-In provides Gmail and Google Workspace account sign-in along with support for one-time passwords (OTP). It's the easiest method of supporting Google-only accounts, or supporting Google accounts in an existing sign-in system.|
|OAuth 2.0 and OpenID Connect||OpenID Connect lets you handle and use authentication tokens from the ground up with the most customization.|
|Google Cloud Identity Platform||Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications. This option is ideal for users who want to be their own identity provider.|
|Users API||Note: The Users API is supported for Python 3, Java 11/17, Go 1.12+, and PHP 7/8.
The Users API is one of the legacy bundled services that is used for authenticating Google and Google Workspace accounts. This built-in API is only available in App Engine.
|Identity-Aware Proxy (IAP)||IAP lets you control access to your App Engine services, before requests reach your application resources. IAP lets you establish a central authorization layer for applications, and works with signed headers or the App Engine Users API to secure your app. Unlike the other authentication services in this table, IAP performs authentication before your app can be reached. The other options on this page, implement authentication in your app.|
Firebase Authentication gives you a robust, secure authentication system-in-a-box that helps you do sign in with any account your users want to use. Firebase Authentication supports password authentication in addition to federated sign-in with Google, Facebook, Twitter, and more, allowing you to easily scale your authentication system as you grow on desktop and mobile.
Firebase Authentication is the easiest way to set up user authentication for a Google App Engine app. To learn more about Firebase Authentication, try the following:
Firebase Web Tutorial highlights how to use Firebase on a website, including user sign-in with Google as the Identity Provider.
If you want to provide a Google login button for your website or app, or you're using Google Admin console for your domain and you want to authenticate users based on that login, you can use Google Sign-in, which is our sign-in client library built on the OAuth 2.0 and OpenID Connect protocols.
Google Sign-In is available for Web Apps, iOS, and Android.
OAuth 2.0 and OpenID Connect
Google Sign-in is based on Google's OAuth 2.0 implementation, which conforms to the OpenID Connect specification, and is OpenID Certified.
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, and your app can use it to retrieve user profile information.
Identity Platform provides a drop-in, customizable identity and authentication service for user sign-up and sign-in. Identity Platform supports multiple authentication methods (SAML, OIDC, email/password, social, phone, and custom auth) to provide flexible integration options for any identity solution. Identity Platform is built on Google Cloud's global scale, performance, network, and security, and comes with an enterprise-grade support and SLA to meet the demands of virtually any app or service.
Identity Platform offers its own user identity system. If you're already using Google Workspace for your domain and want to authenticate users based on that login, you should use Google Sign-In.
To learn about integrating Identity Platform with App Engine, try the how-to guide for signing in users on App Engine.
The Users API allows an application to perform the following tasks:
- Detect whether the current user is signed in.
- Redirect the user to the appropriate sign-in page to sign in.
- Request the user create a new Google account if they don't have one already.
While a user is signed in to the application, the app can access the user's email address. The app can also detect whether the current user is an administrator, making it easy to implement admin-only areas of the app.
More information is available on the Users API overview.
Identity-Aware Proxy (IAP)
IAP protects and secures your application by adding an authentication and authorization layer in front of your resources, for inbound external requests. IAP doesn't protect against activity within a project, such as another App Engine service inside the same project. Users who are not authorized access to your app can't have access to reach your App Engine app.
IAP-protected services or applications, can only be accessed by principals which have the correct Identity and Access Management (IAM) role. When a user tries to access an IAP-secured resource, IAP performs authentication and authorization checks for you. Learn how IAP secures your application resources on the IAP overview.
You can enable IAP for your whole app, or for specific services or versions of your app. See the IAP quickstart to learn how to configure IAP for your App Engine resources.