This page describes how to support user authentication in API Gateway.
To authenticate a user, a client application must send aJSON Web Token (JWT) in the authorization header of theHTTP request to your backend API. API Gatewayvalidates the token on behalf of your API, so you don't have to add any code inyour API to process the authentication. However, you do need to configure theAPI config for your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWTissuer's JSON Web Key Set (JWKS). The location of the JWKS is specified in the x-google-jwks_uri
field of the gateway's API config. API Gateway caches the JWKS for fiveminutes and refreshes it every five minutes.
Before you begin
- Add authentication code to your client application, following theauthentication provider's documentation.
- When your client application sends an HTTP request, the authorization header inthe request must contain the following JWT claims:
iss
(issuer)sub
(subject)aud
(audience)iat
(issued at)exp
(expiration time)
Configuring API Gateway to support client authentication
You must have a securityrequirement object and a securitydefinitions object in your API config for API Gateway tovalidate the claims in the signed JWT.
To support JWT authentication:
Add the following to the security definition in your API config, which follows the OpenAPI 2.0 security scheme:
securityDefinitions: your_custom_auth_id: authorizationUrl: "" flow: "implicit" type: "oauth2" # The value below should be unique x-google-issuer: "issuer of the token" x-google-jwks_uri: "url to the public key" # Optional. Replace YOUR-CLIENT-ID with your client ID x-google-audiences: "YOUR-CLIENT-ID"
Add a security section at either the API level to apply to the entireAPI, or at the method level to apply to a specific method.
security: - your_custom_auth_id: []
You can define multiple security definitions in the API config, but eachdefinition must have a different issuer. If you use security sections at boththe API level and at the method level, the method-level settings override theAPI-level settings.
The x-google-audiences
field is not required. API Gatewayaccepts all JWTs with the backend service name in the form ofhttps://SERVICE_NAME
in the aud
claim.
To allow additional client IDs to access the backend service, you can specify theallowed client IDs in the x-google-audiences
field by usingcomma-separated values. API Gateway then accepts the JWTs with any of thespecified client IDs in the aud
claim.
The x-google-jwks_uri
field is required.API Gateway supports two asymmetric public key formats definedby the x-google-jwks_uri
OpenAPI extension:
- JWK set format.For example:
x-google-jwks_uri: "https://YOUR_ACCOUNT_NAME.YOUR_AUTH_PROVIDER_URL/.well-known/jwks.json"
- X509. For example:
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
If you are using a symmetric key format, set x-google-jwks_uri
tothe URI of a file that contains the base64url-encoded key string.
Making an authenticated call to an API Gateway API
When you send a request using an authentication token, werecommend that you put the token in the Authorization:Bearer
header. Forexample:
curl --request POST \ --header "Authorization: Bearer ${TOKEN}" \ "${GATEWAY_URL}/echo"
Here, GATEWAY_URL
and TOKEN
are environment variables containing yourdeployed gateway URL and authentication token, respectively. SeeMaking an authenticated request to an API Gateway API for sample code that sends a request using the Authorization:Bearer
header.
If you cannot use the header when sending the request, you can put theauthentication token in a query parameter called access_token
. For example:
curl "${GATEWAY_URL}/echo?access_token=${TOKEN}"
Receiving authenticated results in your API
API Gateway usually forwards all headers it receives. However, it overrides theoriginal Authorization
header when the backend address is specified byx-google-backend
in the API config.
API Gateway will send the authentication result in the X-Apigateway-Api-Userinfo
to the backend API. It is recommended to use this header instead of the originalAuthorization
header. This header is base64url
encoded and containsthe JWT payload.