Looking for more details on auth model for push notification receiver

[Matt Yandek]

Hi,

I am looking at standing up a service (not using app engine) to receive push notifications, but I'd like to understand more about how authentication between Google and the receiver service works.  The only information I was able to find is this, which states:

Configuring HTTP Endpoints

 

You need a publicly accessible HTTPS server to handle POST requests in order to receive push messages. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint). Finally, you must register the endpoint domain with the GCP project. Note that these steps are considerably simplified on App Engine, where SSL certificates are provided and verification requirements can be relaxed.

This implies that we are using SSL for authentication but I need more details.  Is this using mutual authentication using a client (in our case Google) certificate?  How can we validate that incoming requests are indeed coming from Google?  Any further details that you could provide would be very helpful.

Thanks,

Matt

[Yannick (Cloud Platform Support)]

Hey Matt. Authentication works the same across the platform and works by having the clients authenticate using a user account that has been granted the proper roles and permissions. Read the Authentication Getting Started guide to understand how service account key authentication works.

Once properly authenticated you can make calls the Pub/Sub service using one of the Pub/Sub APIs.

[Yannick (Cloud Platform Support)]

Ah actually someone corrected me, I had misread your question. There is no built-in method to authenticate requests sent to your endpoint as coming from Google at the moment. The recommended workaround is that you integrate a secret request token to your endpoint configuration and only accept messages from requests that contain this secret token.

This Stack Overflow thread gives a basic example implementation.

[Matt Yandek]

Thanks, Yannick.  Is there any plan to make improvements that you can discuss?

[Yannick (Cloud Platform Support)]

I do not any announcements to make regarding future features of Cloud Pub/Sub. If you have ideas on how it could be improved you are welcome to create a Feature Request on the Issue Tracker.