Python 2 is no longer supported by the community. We recommend that you migrate Python 2 apps to Python 3.

User Authentication Options

Google offers multiple methods of authenticating users in Google Cloud applications.

Each method has different purposes, listed below:

Authentication Service Purpose
Firebase Authentication Provides multiple user authentication options including with Google, Facebook, and Twitter. It also supports the largest number of users while maintaining the smallest amount of code.
Google Sign-In Google Sign-In provides Gmail and Google Workspace account sign in along with support for one-time passwords (OTP). It's the easiest method of supporting Google-only accounts, or supporting Google accounts in an existing sign-in system.
OAuth 2.0 and OpenID Connect OpenID Connect allows you to handle and use authentication tokens from the ground up with the most customization.
Users API Uses App Engine's built-in Users API service to authenticate Google and Google Workspace accounts.
The Users API service is not recommended. Apps that use this service can only run in App Engine.

Firebase Authentication

Firebase Authentication gives you a robust, secure authentication system-in-a-box that helps you do sign in with any account your users want to use. Firebase Authentication supports password authentication in addition to federated sign in with Google, Facebook, Twitter, and more, allowing you to easily scale your authentication system as you grow on desktop and mobile.

Firebase Authentication is the easiest way to set up user authentication for a Google App Engine app. To learn more about Firebase Authentication, try the following:

Google Sign-In

If you want to provide a Google login button for your website or app, or you're using Google Workspace Admin Console for your domain and you want to authenticate users based on that login, you can use Google Sign-in, which is our sign-in client library built on the OAuth 2.0 and OpenID Connect protocols.

Google Sign-In is available for Web Apps, iOS, and Android.

OAuth 2.0 and OpenID Connect

Google Sign-in is based on Google's OAuth 2.0 implementation, which conforms to the OpenID Connect specification, and is OpenID Certified.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, and your app can use it to retrieve user profile information.

Users API

The Users API allows an application to perform the following tasks:

  • Detect whether the current user is signed in.
  • Redirect the user to the appropriate sign-in page to sign in.
  • Request the user create a new Google account if they don't have one already.

While a user is signed in to the application, the app can access the user's email address. The app can also detect whether the current user is an administrator, making it easy to implement admin-only areas of the app.

More information is available on the Users API overview.