How does the Extensible Service Proxy authenticate users?

0
votes

We are trying to implement the authentication options outlined here:

https://cloud.google.com/endpoints/docs/authenticating-users

We are using Cloud Endpoints V2 and NOT implementing it using AppEngine, but rather through Container Engine with our own containers/pods.

If our understanding is correct, the flow is something like:

  1. User logs into app, let's say using auth2.com - a JWT Token is returned
  2. User calls a microservice endpoint passing the JWT Token
  3. The ESP validates the JWT Token using the endpoint defined - in this case it makes a call to auth2.com to verify the request
  4. If token is valid, request is proxied to backend server

Our question is - is our understanding correct? If so, does the ESP employ ANY form of caching, or does it validate each and every request through the proxy with auth2.com/authentication provider? If so, it seems that this would significantly increase throughput as one additional network request is added to every request.

Thanks in advance.

2
google-cloud-platformgoogle-cloud-endpoints

2 Answers

2
votes

There is a cache for JWT authentication results. I believe results are cached for 5 minutes, though this is subject to change.

0
votes

The validation of a JWT is a local operation (no need to talk to auth2.com to verify the token). The only information that ESP pulls from auth2.com is the public key that is used to validate the JWT.

The public key is cached for 5 minutes. The successful JWT authentication result is cached for 5 minutes or until the JWT expires.