Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)

2
votes

The Google Cloud Endpoints documentation provides this specification for a custom security definition in the Extensible Service Proxy configuration file:

securityDefinitions:
    your_custom_auth_id:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        # The value below should be unique
        x-google-issuer: "issuer of the token"
        x-google-jwks_uri: "url to the public key"
        # Optional. Replace YOUR-CLIENT-ID with your client ID
        x-google-audiences: "YOUR-CLIENT-ID"

The documentation on how to implement this is very sparse for App Engine Flexible. Does anyone have an example of how to set this up or can they attest that it's possible? In particular, what is the interface for authorizationUrl? Can we place the URL of our authorization service (that provides the JWT tokens being verified by the Extensible service proxy) so that the endpoint will redirect to it if the token is invalid in authorizationURL?

1
google-app-enginegoogle-cloud-platformgoogle-cloud-endpoints

1 Answers

1
votes

You are correct. 'authorizationUrl' is an OpenAPI Swagger specific annotation which points to the URL endpoint of your log in form that is used by the client to retrieve the actual JWT (JSON Web Token).

Once the client retrieves the JWT from your App Engine application after logging in, they can then use it to authorize their requests to your Cloud Endpoint APIs.

Your Node.js App Engine application would use any JWT signing library to generate the JWT (auth0 offers their own in many languages).

To generate the token, you would supply the standard 'JWT' and hashing headers, add in your specific User object JSON payload (as this token should be unique to this specific user), along with your secret/public key.

The JWT library should also automatically provide the required JWT claims while generating it, just ensure you supply the issuer used by the library and your secret/public key in your 'openapi.yaml' as 'x-google-issuer' and 'x-google-jwks_uri'.

You can follow the JWT.io guide to learn more about how to generate and use a JWT. You can also follow the specific App Engine Flexible guide to code your application to handle JWT.