Is it possible to use google authentication (i.e. service account) for custom API?
Asked Answered
S

3

8

So we're building a RESTful service on google cloud running on GCE instances. This service is going to be consumed internally, i.e. web servers. I'm thinking about securing this service using Oauth.

Instead of maintaining our own database of consumer key/secrets tho, is it possible to leverage on what Google authentication already provide? So I'm envisioning the following:

  1. Web server authenticate with Google using service account and get some access token in response
  2. Web server makes request to Rest service with this access token
  3. Rest service validate this access token with Google, only return valid response if access token is validated

I couldn't find anything like this in Google cloud documentation, thought I throw it out here and see if SO knows better :)

Thanks!

Sinuosity answered 4/4, 2016 at 17:42 Comment(1)
I'm not quite sure why you would need google-oauth to validate internal inter-server communication. Wouldn't an IAM or IP restrained approach work better and save on the additional load of token refreshes etc? Is there some value you are looking to gain through re-using the service account key - perhaps as single point of revocation or something like that?Stockbreeder
G
3

For anyone coming across the question, you are probably after Identity Aware Proxy - https://cloud.google.com/iap/docs/authentication-howto

It will put a managed proxy in front of your service that requires oAuth2 with a Google Account to get through. Has both browser and programatic flows.

It then passes through headers to your service that you can use to see who the user is and to verify they authenticated

Graphemics answered 21/10, 2018 at 17:59 Comment(3)
this is a great feature of GCP indeed, but doesn't answer the question. Here we are talking about server-to-server authentication.Hemihedral
Ah, traffic within the network, yes I missed that. I think you could still stand up a Load Balancer with internal only firewall rules and put IAP on that. I am not certain though, not a configuration I have usedGraphemics
IAP or Identity Aware Proxy is not intended for server-to-server communication but for end users access web based services (versus using VPN connections).Simoneaux
S
3

Your use case is exactly what Google Cloud Endpoints will provide you : - authentication with service accounts - API metrics in the console

Cloud Endpoints is an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs. After you deploy your API to Cloud Endpoints, you can use the Cloud Endpoints Portal to create a developer portal, a website that users of your API can access to view documentation and interact with your API.

In the authentication section, you find the relevant documentation on how to secure using service accounts (other methods available).

Simoneaux answered 22/10, 2018 at 14:20 Comment(0)
F
3

There are a few things to consider here.

First, we provide server to server authentication through OAuth, but this is for Google APIs.

Second, we provide Cloud Endpoints server to server authentication, however this is API hosted on Cloud Endpoints and not a custom API hosted on your own GCE VM.

The thing I am trying to understand is, what framework or code are you using on the VM end to process the OAuth. Who do you want to allow / disallow? You can't really not have any authentication code on your end, otherwise what's the point? Any service account can go through. How do you control the scope? How do the service account even know what scope to request for? How does your API handle the authorization part? If you are making a full blown API, you are better off using Cloud Endpoints because all the stuff I mentioned before will be handled on our end.

If you are designing a simple HTTP API that's basically a handler that process GET/POST requests and spits out responses to your own service on Google Cloud, then you can simply setup secure service to service communication

Ferland answered 25/10, 2018 at 13:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.