Why is authentication to Cloud Functions different than Cloud Endpoints?

3
votes

In order to authenticate with Cloud Endpoints for OpenAPI, I have to construct a Python requests session using google-auth as follows:

    from google.auth.transport.requests import AuthorizedSession
    creds = google.auth.jwt.Credentials.from_service_account_file(
        creds_path, audience=my_audience)
    session = AuthorizedSession(creds)

But when I want to authenticate to a Cloud Function, I have to do it a little different:

    creds = google.oauth2.service_account.IDTokenCredentials.from_service_account_file(creds_path, target_audience=function_url)
    session = AuthorizedSession(creds)

And all that is when I use a service account file, such as when running from my local machine, or on GKE. But when it's used on App Engine, there's another variant:

Calling Cloud Endpoints -

    boostrap_creds, _ = google.auth.default()
    creds = google.auth.jwt.Credentials.from_signing_credentials(boostrap_creds, my_audience)
    session = AuthorizedSession(creds)

Calling Cloud Function --

    IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
    OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'
    bootstrap_credentials, _ = google.auth.default(scopes=[IAM_SCOPE])
    signer_email = bootstrap_credentials.service_account_email
    signer = bootstrap_credentials.signer
    creds = google.oauth2.service_account.IDTokenCredentials(
            signer, signer_email, token_uri=OAUTH_TOKEN_URI,     target_audience=function_url)
    session = AuthorizedSession(creds)

Why is there a difference, and what does it mean?

1
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-endpoints
(In your examples) Cloud Endpoints is using an OAuth Access Token, Cloud Functions is using an OAuth Identity Token. Access Tokens are the standard HTTP Authorization Bearer Token method. Identity Tokens are the new method that some services are implementing. Take a look at Google OIDC (Open ID Connect) to learn more.John Hanley

1 Answers

3
votes

  1. In the Cloud Endpoints when you use: google.auth.jwt.Credentials to authenticate a user, a client application sending JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. There are two components to the token, a public and private string. The private string is used when signing the request, and never sent across the wire. The Extensible Service Proxy (ESP) validates the token for your API, so you don't add any code in your API to process the authentication. Those Access tokens, are not intended to carry information about the user. They simply allow access to certain defined server resources. Endpoints uses plain OAuth 2.

  2. In the Cloud Function when you use: google.oauth2.service_account.IDTokenCredentials to autenticate uses oAuth2 ID token. ID Token is a token granted by the OpenID Provider that contains information about End-User, in this situation about service account. This information tells client application that the user is authenticated, and can also give information like their username. You can pass an ID Token around different components of your client, and these components can use the ID Token to confirm that the user is authenticated and also to retrieve information about them. Functions uses more advanced OpenID Connect.

If you want to know more about OAuth:

  1. Differences between OAuth 1 and 2.
  2. OpenID connect