I'm looking for a standard Oauth2.0 approach for the service type users authenticating to APIs hosted in GCP environment with secrets. The closest I got is a service accounts with key pairs.
However I would like to avoid updating ESP config each time a new service account is added (like in the example below).
securityDefinitions:
service-1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "[email protected]"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
service-2:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "[email protected]"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
#should be possible to leave the addition of service-X to the end client without needing to update this.
EDIT: I've tried using Identity Platform and ESP config won't need updating when new users are added:
securityDefinitions:
auth0:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/{google-project-ID}"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
x-google-audiences: "{google-project-ID}"
however email/password is not an option for my case and GCP Identity Platform doesn't seem to support users with secrets, unless I'm missing something?
It would also be good to have a possibility to add custom claims against users, which would remove a need to maintain the permissions table within the API code.
Apigee has all the required functionality however seems to be an expensive over-complication for my project needs.
The
Identity-Aware Proxyprovides the functionality for my use-case. When adding the service account just set theIAP-secured Web App Userand it will have access to a secured resource. google doc here