Cloud Endpoints supports multiple authentication methods that are suited to different applications and use cases. The Extensible Service Proxy (ESP) uses the authentication method that you have specified in your service configuration to validate incoming requests before passing them to your API backend. This document provides an overview and sample use cases for each supported authentication method.
An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter.
If you specify an API key requirement in your service configuration, ESP uses the API key to look up the GCP project that the API key is associated with. ESP rejects requests unless the API key was generated in your GCP project or within other GCP projects in which your API has been enabled. For more information, see Restricting API Access with API Keys
Unlike credentials that use short-live tokens or signed requests, API keys are a part of the request and are therefore considered to be vulnerable to man in the middle attacks and therefore less secure. You can use API keys in addition to one of the authentication methods described below. For security reasons, do not use API keys by themselves when API calls contain user data.
If you want to use Endpoints features such as quotas, each request must pass in an API key so that Endpoints can identify the GCP project that the client application is associated with.
For more information about API keys, see Why and When to Use API Keys.
Firebase Authentication provides backend services, SDKs, and libraries to authenticate users to a mobile or web app. It authenticates users using a variety of credentials such as Google, Facebook, Twitter, or GitHub.
The Firebase client library signs a JSON Web Token (JWT)
with a private key after the user has successfully signed in. ESP validates that
the JWT was signed by Firebase and that the "iss" (issuer) claim in the JWT,
which identifies your Firebase application, matches the
in the service configuration.
Firebase should be used when the API calls involve any user data and the API is intended to be used in flows where the user has an user interface for example, from mobile and web apps. For more information, see the Firebase tab in Authenticating Users.
Auth0 authenticates and authorizes apps and APIs regardless of identity provider, platform, stack and device.
Auth0 supports a large number of providers and the Security Assertion Markup Language specification. It provides backend services, SDKs and user interface libraries for authenticating users in web and mobile apps. Auth0 integrates with several third-party identity providers and also provides custom user account management.
The client library provided by Auth0 generates and signs a JWT once the user
has signed in. ESP validates the JWT was signed by Auth0 and that the "iss"
claim in the JWT, which identifies your Auth0 application, matches the
x-google-issuer setting in the service configuration.
Auth0 is well suited for consumer and enterprise web and mobile apps. For more information, see the Auth0 tab in Authenticating Users.
Google ID token authentication
Authentication using a Google ID
token allows users to authenticate
by signing in with a Google account. Once authenticated, the user has access to
all Google services. You can use Google ID tokens to make calls to Google APIs
and Cloud Endpoints APIs. ESP validates the Google ID token using the public key
and ensures that the "iss" claim in the JWT is
Authentication using a Google ID token is recommended when all users have Google accounts. You might choose to use Google ID token authentication, for example, if your API accompanies Google Apps (for example, a Google Drive companion). Google ID token authentication allows users to authenticate by signing in with a Google account. Once authenticated, the user has access to all Google services.
For more information, see the Google ID token tab in Authenticating Users.
JWTs and service accounts
JSON Web Tokens, or JWT, are commonly used to share claims or assertions between connected applications. A JWT representing a service account can be signed either by:
The service account.
Google's authorization service. (A JWT signed by Google's authorization service is referred to as a Google ID token.)
Authenticating a request using a JWT signed by a service account might be easier
to implement, but if you have a large number of service accounts, or if you want
to accept credentials from service accounts you don't own, using a Google ID
token is recommended because you only need to whitelist
https://accounts.google.com as an
x-google-issuer for all service accounts.
JWTs and service accounts are well suited for microservices. For more information, see Authentication Between Services.
You can use other authentication platforms to authenticate users as long as it conforms to the JSON Web Token RFC 7519.
For more information, see the Custom tab in Authenticating Users.