Cloud Endpoints Frameworks supports multiple authentication methods that are suited to different applications and use cases. Endpoints Frameworks uses the authentication method that you have specified in your annotation to validate incoming requests before passing them to your API backend. This document provides an overview and sample use cases for each supported authentication method.
An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the Google Cloud Platform Console and embeds that key in every call to your API as a query parameter.
If you specify an API key requirement in your annotation, Endpoints Frameworks uses the API key to look up the GCP project that the API key is associated with. Endpoints Frameworks rejects requests unless the API key was generated in your GCP project or within other GCP projects in which your API has been enabled. For more information, see Restricting API access with API keys
Unlike credentials that use short-lived tokens or signed requests and are sent in the request header, clients send an API key as a query parameter. Even though query parameters get encrypted in HTTPS, API keys aren't secure. For example, some servers might store the entire URL of each request in clear text in a server log. For security reasons, don't use API keys by themselves when API calls contain user data. You can use API keys in addition to one of the following authentication methods.
For best practices on securing and adding restrictions to API keys, see Using API keys. Although "Using API keys" is targeted for clients using Google APIs, the best practices are applicable to APIs that you create using Endpoints Frameworks.
If you want to use Endpoints features such as quotas, each request must pass in an API key so that Endpoints can identify the GCP project that the client application is associated with.
For more information about API keys, see Why and when to use API keys.
Firebase authentication provides backend services, SDKs, and libraries to authenticate users to a mobile or web app. It authenticates users using a variety of credentials such as Google, Facebook, Twitter, or GitHub.
The Firebase client library signs a JSON Web Token (JWT) with
a private key after the user has successfully signed in.
Endpoints Frameworks validates that the JWT was signed by Firebase and
that the "iss" (issuer) claim
in the JWT, which identifies your Firebase application, matches the
setting in the annotation.
Because Firebase authentication integrates tightly with other Firebase services, it is well-suited for mobile or web apps that use Firebase. See Authenticating with Firebase Auth.
Auth0 authenticates and authorizes apps and APIs regardless of identity provider, platform, stack, and device.
Auth0 supports a large number of providers and the Security Assertion Markup Language specification. It provides backend services, SDKs, and user interface libraries for authenticating users in web and mobile apps. Auth0 integrates with several third-party identity providers and also provides custom user account management.
The client library provided by Auth0 generates and signs a JWT once the user has
signed in. Endpoints Frameworks validates the JWT was signed by Auth0
and that the "iss" claim in the JWT, which identifies your Auth0 application,
issuer setting in the annotation.
Auth0 is well-suited for consumer and enterprise web and mobile apps. For more information, see Authenticating with Auth0.
Google ID token authentication
Authentication using a Google ID
token lets users
authenticate by signing in with a Google Account. Once authenticated, the user
has access to all Google services. You can use Google ID tokens to make calls to
Google APIs and APIs that you have implemented using
Endpoints Frameworks. Endpoints Frameworks validates the
Google ID token using the public key and
ensures that the "iss" claim in the JWT is
Authentication using a Google ID token is recommended when all users have Google accounts. You might choose to use Google ID token authentication, for example, if your API accompanies G Suite Applications (for example, a Google Drive companion). Google ID token authentication lets users authenticate by signing in with a Google Account. Once authenticated, the user has access to all Google services.
For more information, see Authenticating with Google ID tokens.
JWTs and service accounts
A JSON Web Token (JWT) is commonly used to share claims or assertions between connected applications. A JWT representing a service account can be signed either by:
The service account.
Google's authorization service. (A JWT signed by Google's authorization service is referred to as a Google ID token.)
Authenticating a request using a JWT signed by a service account might be easier
to implement, but if you have a large number of service accounts, or if you want
to accept credentials from service accounts you don't own, using a Google ID
token is recommended because you only need to whitelist
accounts.google.com as an issuer for all
JWTs and service accounts are well-suited for microservices. For more information, see Authenticating with a service account.