0

I'm looking for a standard Oauth2.0 approach for the service type users authenticating to APIs hosted in GCP environment with secrets. The closest I got is a service accounts with key pairs.

However I would like to avoid updating ESP config each time a new service account is added (like in the example below).

 securityDefinitions:
  service-1:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "service-1@example-project-12345.iam.gserviceaccount.com"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/service-1@example-project-12345.iam.gserviceaccount.com"
  service-2:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "service-2@example-project-12345.iam.gserviceaccount.com"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/service-2@example-project-12345.iam.gserviceaccount.com"

    #should be possible to leave the addition of service-X to the end client without needing to update this.

EDIT: I've tried using Identity Platform and ESP config won't need updating when new users are added:

securityDefinitions:
    auth0:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "https://securetoken.google.com/{google-project-ID}"
        x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
        x-google-audiences: "{google-project-ID}"

however email/password is not an option for my case and GCP Identity Platform doesn't seem to support users with secrets, unless I'm missing something?

It would also be good to have a possibility to add custom claims against users, which would remove a need to maintain the permissions table within the API code.

Apigee has all the required functionality however seems to be an expensive over-complication for my project needs.

Alex M
  • 2,410
  • 1
  • 24
  • 37
  • Identity Platform allows users to [authenticate](https://cloud.google.com/identity-platform/docs/concepts-authentication) to your apps and services, like multi-tenant SaaS apps, mobile/web apps, games, APIs and more. You can explore [Authentication strategies](https://cloud.google.com/docs/authentication#strategies). To create user, you might need to explore G-Suite which is similar to Azure AD. Can you explain the question with your use cases? – Hasanul Murad Oct 02 '20 at 21:34
  • I need to create users with secrets (and preferably have a possibility to add claims) rather than with emails/passwords. – Alex M Oct 03 '20 at 20:19
  • You can create secret using GCP [Secret Manager](https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create) – Hasanul Murad Oct 06 '20 at 21:34
  • How will one use a secret from `Secret Manager` with user's OAuth authentication? – Alex M Oct 07 '20 at 08:11
  • It seems the feature is currently not available. I would suggest you file a issue using [public issue tracker](https://cloud.google.com/support/docs/issue-trackers#trackers-list) – Hasanul Murad Oct 10 '20 at 00:26

1 Answers1

0

The Identity-Aware Proxy provides the functionality for my use-case. When adding the service account just set the IAP-secured Web App User and it will have access to a secured resource. google doc here

enter image description here

Alex M
  • 2,410
  • 1
  • 24
  • 37