OAuth Overview in GCP – OAuth Consent Screen and OAuth Client ID
also read OAuth basics
Human users (of an app) vs. the App itself as a user
It is important to distinguish human users (app user logins) versus the app itself. The app itself needs to pass in valid credentials to GCP in order to call various APIs. These app credentials are also OAuth (typically Authorization Tokens), but it is important to keep in mind the difference in these two 'user types'.
User Credentials - OAuth as an evolution of Forms Based Logins
Now that we understand the two types of users (humans vs. apps), let us talk about human users. The way human users were authenticated in the past was using a local mechanism (e.g. Forms based or Windows AD Integrated authentication).
To move away from a local solution to a centralized authentication solution, OAuth (and OpenID) protocols were the natural evolution away from forms based (username password) mechanisms.
OAuth 2.0 allows users to share data with an application while keeping their usernames, passwords, and other information private.
GCP and OAuth Consent Screen for Human Users
The simplest way to configure users to use OAuth in GCP, is via the API and credentials menu.
Step 1 - Pick the OAuth Consent Screen option and fill in the app name.
Step 2 - Create an OAuth Client ID (and callback URL). This is used by the calling client to a) Correctly identify a user as belonging to a specific app and b) redirecting users once they have been authenticated (accepted the consent screen)
Other Notables - OAuth Requires an Authorization Server
When you are using GCP's OAuth, Google acts as your Auth Provider and hence, serves as your Authorization Server (i.e. a google server is your Auth Server).
OAuth Types
There are different types of tokens (grants) that are part of OAuth. The four types are
- Access Tokens aka Authorization Grant
- Implicit Grant
- Password Grant
- Client Credentials Grant
Authorization grant aka Access Token
The key aspect of this grant is that it includes metadata about the resources that are being granted access to (the protected resources). The Authorization server provides a clientID and a server URL
Need a hands-on, GCP Consultant?
Need help with your GCP journey? Start the conversation today.
Leave a Reply