Authenticating Users

This page describes how to add support in your API for user authentication from client applications using Cloud Endpoints Frameworks. Note that Android and Javascript clients are currently supported.

Cloud Endpoints Frameworks supports user authentication from client apps that use any of the following methodologies:

No matter which authentication method you use, in each API method where you want to check for proper authentication, you must check for a valid User as described in the following sections:

Prerequisites

This page assumes that you have already:

Authenticating with Firebase Auth

To support calls from clients that use Firebase Auth:

  1. If you haven't already done so, create a Firebase project. Firebase projects are Google Cloud Platform Console (GCP) projects that use Firebase services. For more information, see What is a Firebase project? and the Firebase documentation.

  2. Add the following to your @Api or method annotation:

    • Add an authenticators param to your annotation, set to the value {EspAuthenticator.class}.
    • Add an issuers param containing an @ApiIssuer set to Firebase.
    • Add an issuerAudiences param containing an @ApiIssuerAudience set to Firebase and your project ID.

    For example:

    @Api(
        name = "echo",
        version = "v1",
        authenticators = {EspAuthenticator.class},
        issuers = {
            @ApiIssuer(
                name = "firebase",
                issuer = "https://securetoken.google.com/YOUR-PROJECT-ID",
                jwksUri = "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com")
        },
        issuerAudiences = {
            @ApiIssuerAudience(name = "firebase", audiences = "YOUR-PROJECT-ID")
        })
    
    • Replace both instances of YOUR-PROJECT-ID with your Firebase project ID.
    • Replace echo with the name of your API.
    • Replace v1 with your API version.
  3. In your API implementation code, import Users:

    import com.google.api.server.spi.auth.common.User;
    
  4. In each API method where you want to check for proper authentication, check for a valid User and throw an exception if there isn't one, as shown in this sample method definition:

    @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)
    public Email getUserEmail(User user) throws UnauthorizedException {
      if (user == null) {
        throw new UnauthorizedException("Invalid credentials");
      }
    
      Email response = new Email();
      response.setEmail(user.getEmail());
      return response;
    }
    
  5. Deploy the API. You need to redeploy the API whenever you add new clients.

Adding Firebase authentication to a client

You can add Firebase authentication to your code as described in the Firebase documentation. The client must have a Google Cloud Platform project associated with it, and the project ID must be listed in the API's Firebase issuer configuration as shown in the above tabs.

Authenticating with Auth0

To support calls from clients that use Auth0:

  1. Add the following to your @Api or method annotation:

    • Add an authenticators param to your annotation, set to the value {EspAuthenticator.class}.
    • Add an issuers param containing an @ApiIssuer set to Auth0.
    • Add an issuerAudiences param containing an @ApiIssuerAudience set to Auth0 and your Auth0 client ID.

    For example:

    @Api(
        name = "echo",
        version = "v1",
        authenticators = {EspAuthenticator.class},
        issuers = {
            @ApiIssuer(
                name = "auth0",
                issuer = "https://YOUR-ACCOUNT-NAME.auth0.com/",
                jwksUri = "https://YOUR-ACCOUNT-NAME.auth0.com/.well-known/jwks.json")
         },
         issuerAudiences = {
             @ApiIssuerAudience(name = "auth0", audiences = "AUTH0-CLIENT-ID")
        })
    

    Replace YOUR-ACCOUNT-NAME with the Auth0 account name used for the client, replace AUTH0-CLIENT-ID with the ID you want to use for your client, replace echo with the name of your API, and replace v1 with your API version.

  2. In your API implementation code, import Users:

    import com.google.api.server.spi.auth.common.User;
    
  3. In each API method where you want to check for proper authentication, check for a valid User and throw an exception if there isn't one, as shown in this sample method definition:

    @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)
    public Email getUserEmail(User user) throws UnauthorizedException {
      if (user == null) {
        throw new UnauthorizedException("Invalid credentials");
      }
    
      Email response = new Email();
      response.setEmail(user.getEmail());
      return response;
    }
    
  4. Deploy the API. You need to redeploy the API whenever you add new clients.

Adding Auth0 authentication to a client

You can add Auth0 authentication to your code as described in the Auth0 documentation. The client must be listed in the API's Auth0 issuer configuration as shown in the above tabs.

Authenticating with Google ID tokens

To support calls from clients that authenticate using Google ID tokens:

  1. Obtain an OAuth 2 client ID for each client app. The client app owner must generate the client ID from the Google Cloud Platform Console. For instructions, see [Creating OAuth 2.0 Client IDs] (/endpoints/docs/frameworks/java/creating-client-ids#Creating_OAuth_20_client_IDs).

  2. Add a clientIds entry containing the client ID for each client app you are granting access to, and an audiences entry as well for each Android client, in your @Api annotation. For example:

    @Api(
       name = "echo",
       version = "v1",
       clientIds = {"YOUR-CLIENT-ID"},
       audiences = {"YOUR-CLIENT-ID"}
    )
    

    Replace YOUR-CLIENT-ID with the OAuth 2 client ID that was generated in the client app project. Replace echo with your API name, and v1 with your API version.

  3. In your API implementation code, import Users:

    import com.google.api.server.spi.auth.common.User;
    
  4. In each API method where you want to check for proper authentication, check for a valid User and throw an exception if there isn't one, as shown in this sample method definition:

    @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)
    public Email getUserEmail(User user) throws UnauthorizedException {
      if (user == null) {
        throw new UnauthorizedException("Invalid credentials");
      }
    
      Email response = new Email();
      response.setEmail(user.getEmail());
      return response;
    }
    
  5. Deploy the API. You need to redeploy the API whenever you add new clients.

Adding Google ID tokens authentication to a client

For information on adding authentication code to clients, see the following:

Sending a JWT in your client

If you use a JWT in your client to send authenticated requests to the API, the JWT must be in the authorization header of a HTTP request. The JWT should have the following required claims:

  • iss
  • sub
  • aud
  • iat
  • exp

Further reading

For background information about user authentication and how it differs from API key authorization, see When and Why to use API Keys.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints Frameworks for App Engine
Need help? Visit our support page.