App Engine and Bigquery authentication

4
votes

We would like to implement an analytical tool with the aid of Bigquery and Cloud Storage services. The tool should run on App Engine and expose REST interface so that all requests go through that interface and subsequently are forwarded to Bigquery. Authorizing access to Bigquery should be based on App Engine service account (App Identity API). However, we also need to authenticate the tool clients. The client is always another app or service so OAuth 2.0 and web browser based authentication is not acceptable for us. Is there a way how we can implement such authentication and somehow bind it with Bigquery a Cloud Storage ACL?

Consider situation as follows. A client has been given Google account in our domain. It sends a request to our REST interface and provides credentials (email and password) with other details. The tool authenticates the client and sends request on its behalf to Bigquery (or Cloud Storage). In case that the client tries to access Dataset (Bigquery) or Bucket/Entity (Cloud Storage) without correct permission (set by means of Bigquery/Cloud Storage ACL), the access is forbidden.

1
google-app-enginegoogle-bigquerygoogle-cloud-storage
Please explain "the client": You say: a) The client is always another app.... And b) A client has been given Google account in our domain.voscausa
Well, we suppose that it is possible to create a Google Account under our domain and use the account credentials (email, password) to authenticate a client (a application). However, we may be wrong and we will have to implement authentication on our own (e.g. by means of Spring Security). We are thinking about Google Accounts primarily due to their connection to ACLs.Nathan

1 Answers

2
votes

I think we all need more details for this one. How are you issuing the credentials to the clients? Do you expect the operators of the client to know a username/password on your domain to authenticate the client to your service?

One option might be to issue the client an OAuth 2.0 refresh token, and they put that refresh token into their app configuration (securely), or you automatically bundle it as they download the app. Refresh tokens are valid indefinitely unless revoked.

Then pass the OAuth 2.0 refresh token straight through the app engine app and onto BigQuery/Google Cloud Storage. All ACLs (which client has permission to what) can then be handled natively in Cloud Storage/BigQuery.

You could also have them get the tokens themselves in a web browser, provided they have credentials. They'll only need to do this a single time when setting up the application, and the token will be stored by the app. More information in the guide on using OAuth 2.0 for installed applications: https://developers.google.com/accounts/docs/OAuth2InstalledApp