How to set up custom user authentication with Google Cloud Endpoints

3
votes

I am trying to understand how to use Cloud Endpoints with custom authentication. From the docs I understand that it starts from the securityDefinitions:

securityDefinitions:
    your_custom_auth_id:
      authorizationUrl: ""
      flow: "implicit"
      type: "oauth2"
      # The value below should be unique
      x-google-issuer: "issuer of the token"
      x-google-jwks_uri: "url to the public key"
      # Optional. Replace YOUR-CLIENT-ID with your client ID
      x-google-audiences: "YOUR-CLIENT-ID"

This is how I understand the flow:

  1. API consumer sends a request with a JWT token in the header
  2. ESP validates this token using the authorizationUrl
  3. The request is forwarded or ESP returns an error.

My questions:

  • Is the flow above correct?

  • How should the authorizationUrl be implemented. How does the request look, what response should be return in case of success or failure

  • What about this values? x-google-issuer: "issuer of the token" x-google-jwks_uri: "url to the public key" x-google-audiences: "YOUR-CLIENT-ID"

1
google-cloud-endpoints

1 Answers

1
votes

Configuring Custom Authentication for Endpoints

To configure custom authentication for Endpoints (and according to the OpenAPI v2 spec), you need two pieces:

  1. Define your custom authentication scheme in the securityDefinitions section of the spec
  2. Apply your custom authentication scheme (defined in #1) to the entire api or to specific operations using the security field.

The Google Cloud Endpoints docs describe this here.

OpenAPI Spec's SecurityDefinitions

Some fields in the SecurityDefinitions section of the OpenAPI spec are for the API producer, and some are for the API consumer.

The following fields are for the API producer and tell Endpoints how to validate the access tokens that accompany API requests:

  • type: "oauth2"
  • x-google-issuer: "issuer of the token"
  • x-google-jwks_uri: "url to the public key"
  • x-google-audiences: "YOUR-CLIENT-ID"

These fields are specified by the API producer and tell the consumer how to get a valid access token:

  • authorizationUrl
  • flow

Re:Your Questions

  1. Correct. Here is documentation on how the consumer should send the access token with the request
  2. ESP validates the access token using the public keys specified in the x-google-jwks_uri property of the spec and ensures that the issuer of the token matches the issuer specified in the securityDefinition's x-google-issuer field.
  3. Correct.

Regarding your questions, the authorizationUrl should be set up by the OAuth2 provider you are using. That url should allow the consumer to execute the implicit OAuth2 flow to get an access token. All you need to do is specify this