Provide personalized long lived Personal Access Tokens to clients
30 views
Skip to first unread message
Alexandru Gogan
Jan 31, 2022, 7:55:41 AM1/31/22
to Google Cloud Endpoints
Hey everyone,
Is there a preferred approach to issue a Personal Access Token (with scopes) to a client and then be used to Authenticate successfully with Cloud Endpoints? I understand that scopes as part of a JWT is a current limitation. Tokens generated using the Firebase Authentication have an expiry of 1hr which I'd like to increase to 1 year.
The intended use is to provide a custom "token" with scopes to check to a client. So far we've defaulted to issue a separate API key for each client that wants to get access to our API (which has no personalized content/ressources available).
The intended developer experience should be similar to GitHub with a user logging into GitHub, obtaining a new PAT and being able to specify that token as part of each API request made.
All the best from Toronto,
Alex
Is there a preferred approach to issue a Personal Access Token (with scopes) to a client and then be used to Authenticate successfully with Cloud Endpoints? I understand that scopes as part of a JWT is a current limitation. Tokens generated using the Firebase Authentication have an expiry of 1hr which I'd like to increase to 1 year.
The intended use is to provide a custom "token" with scopes to check to a client. So far we've defaulted to issue a separate API key for each client that wants to get access to our API (which has no personalized content/ressources available).
The intended developer experience should be similar to GitHub with a user logging into GitHub, obtaining a new PAT and being able to specify that token as part of each API request made.
All the best from Toronto,
Alex
Wayne Zhang
Jan 31, 2022, 12:23:26 PM1/31/22
to Alexandru Gogan, Google Cloud Endpoints
Token expiration is set by the token generator, try to see if you can change FireBase to generate one with 1 year expiration. ESP can verify JWT with any expiration. But with that saying, It is not recommended to increase token expiration in case the token is stolen.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/f7393f37-0edb-4f35-969b-74d6f2e235e6n%40googlegroups.com.
Alexandru Gogan
Jan 31, 2022, 10:46:58 PM1/31/22
to Google Cloud Endpoints
Thanks for your response. I believe all tokens within the Google environment have a maximum expiration of 1hour. Is there any other recommended approach that would allow my users to create "apps" with a single credential they can use to make API requests?
Wayne Zhang
Feb 1, 2022, 12:04:50 PM2/1/22
to Alexandru Gogan, Google Cloud Endpoints
If you don't worry about spoofing, e.g. if you use ssl, then can you use cookie, or just a http header to carry your credentials?
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/705e3b30-1639-4e39-ba68-250812243e41n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages