This page describes how to support user authentication in API Gateway.
To authenticate a user, a client application must send aJSON Web Token (JWT) in the authorization header of theHTTP request to your backend API. API Gatewayvalidates the token on behalf of your API, so you don't have to add any code inyour API to process the authentication. However, you do need to configure theAPI config for your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWTissuer's JSON Web Key Set (JWKS). The location of the JWKS is specified in the x-google-jwks_uri field of the gateway's API config. API Gateway caches the JWKS for fiveminutes and refreshes it every five minutes.
Before you begin
- Add authentication code to your client application, following the Firebase authentication documentation. Firebase supports authentication by using passwords,phone numbers, and popular federated identity providers like Google, Facebookand Twitter.
- When your client application sends an HTTP request, the authorization header inthe request must contain the following JWT claims:
iss(issuer)sub(subject)aud(audience)iat(issued at)exp(expiration time)
- When your client application sends an HTTP request, the authorization header inthe request must contain the following JWT claims:
Configuring API Gateway to support client authentication
You must have a securityrequirement object and a securitydefinitions object in your API config for API Gateway tovalidate the claims in the signed JWT.
To support Firebase authentication:
Add the following to the security definition in your API config, which follows the OpenAPI 2.0 security scheme:
securityDefinitions: firebase: authorizationUrl: "" flow: "implicit" type: "oauth2" # Replace YOUR-PROJECT-ID with your project ID x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID" x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com" x-google-audiences: "YOUR-PROJECT-ID"Add a security section at either the API level to apply to the entireAPI, or at the method level to apply to a specific method.
security: - firebase: []
You can define multiple security definitions in the API config, but eachdefinition must have a different issuer. If you use security sections at boththe API level and at the method level, the method-level settings override theAPI-level settings.
Making an authenticated call to an API Gateway API
When you send a request using an authentication token, werecommend that you put the token in the Authorization:Bearer header. Forexample:
curl --request POST \ --header "Authorization: Bearer ${TOKEN}" \ "${GATEWAY_URL}/echo"Here, GATEWAY_URL and TOKEN are environment variables containing yourdeployed gateway URL and authentication token, respectively. SeeMaking an authenticated request to an API Gateway API for sample code that sends a request using the Authorization:Bearer header.
If you cannot use the header when sending the request, you can put theauthentication token in a query parameter called access_token. For example:
curl "${GATEWAY_URL}/echo?access_token=${TOKEN}"Receiving authenticated results in your API
API Gateway usually forwards all headers it receives. However, it overrides theoriginal Authorization header when the backend address is specified byx-google-backend in the API config.
API Gateway will send the authentication result in the X-Apigateway-Api-Userinfoto the backend API. It is recommended to use this header instead of the originalAuthorization header. This header is base64url encoded and containsthe JWT payload.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-10 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]
