Is it possible to use google authentication (i.e. service account) for custom API?

Question

So we're building a RESTful service on google cloud running on GCE instances. This service is going to be consumed internally, i.e. web servers. I'm thinking about securing this service using Oauth.

Instead of maintaining our own database of consumer key/secrets tho, is it possible to leverage on what Google authentication already provide? So I'm envisioning the following:

1. Web server authenticate with Google using service account and get some access token in response
2. Web server makes request to Rest service with this access token
3. Rest service validate this access token with Google, only return valid response if access token is validated

I couldn't find anything like this in Google cloud documentation, thought I throw it out here and see if SO knows better :)

Thanks!

Answer 1

For anyone coming across the question, you are probably after Identity Aware Proxy - https://cloud.google.com/iap/docs/authentication-howto

It will put a managed proxy in front of your service that requires oAuth2 with a Google Account to get through. Has both browser and programatic flows.

It then passes through headers to your service that you can use to see who the user is and to verify they authenticated

Answer 2

Your use case is exactly what Google Cloud Endpoints will provide you : - authentication with service accounts - API metrics in the console

Cloud Endpoints is an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs. After you deploy your API to Cloud Endpoints, you can use the Cloud Endpoints Portal to create a developer portal, a website that users of your API can access to view documentation and interact with your API.

In the authentication section, you find the relevant documentation on how to secure using service accounts (other methods available).

Answer 3

There are a few things to consider here.

First, we provide server to server authentication through OAuth, but this is for Google APIs.

Second, we provide Cloud Endpoints server to server authentication, however this is API hosted on Cloud Endpoints and not a custom API hosted on your own GCE VM.

The thing I am trying to understand is, what framework or code are you using on the VM end to process the OAuth. Who do you want to allow / disallow? You can't really not have any authentication code on your end, otherwise what's the point? Any service account can go through. How do you control the scope? How do the service account even know what scope to request for? How does your API handle the authorization part? If you are making a full blown API, you are better off using Cloud Endpoints because all the stuff I mentioned before will be handled on our end.

If you are designing a simple HTTP API that's basically a handler that process GET/POST requests and spits out responses to your own service on Google Cloud, then you can simply setup secure service to service communication