Prerequisites
This page assumes that you have already:
Configuring authentication
To authenticate with a service account:
-
Add the following to your
@Apior method annotation:- Add an
authenticatorsparameter to your annotation, set to the value{EspAuthenticator.class}. - Add an
issuersparameter containing an@ApiIssuer. - Add an
issuerAudiencesparameter containing an@ApiIssuerAudienceset to the service account issuer and your audience.
For example:
@Api( name = " echo ", version = " v1 ", authenticators = {EspAuthenticator.class}, issuers = { @ApiIssuer( name = "serviceAccount", issuer = " YOUR_SERVICE_ACCOUNT_EMAIL ", jwksUri = "https://www.googleapis.com/robot/v1/metadata/x509/ YOUR_SERVICE_ACCOUNT_EMAIL ") }, issuerAudiences = { @ApiIssuerAudience(name = "serviceAccount", audiences = " YOUR_AUDIENCE ") })
- Replace
echowith the name of your API. - Replace
v1with your API version. - Replace
YOUR_SERVICE_ACCOUNT_EMAILwith your service account email. - Replace
YOUR_AUDIENCEwith the value in theaudfield sent by the calling service.
- Add an
-
In your API implementation code, import
Users:import com.google.api.server.spi.auth.common.User ; -
In each API method where you want to check for proper authentication, check for a valid
Userand throw an exception if there isn't one, as shown in this sample method definition:@ApiMethod ( httpMethod = ApiMethod . HttpMethod . GET ) public Email getUserEmail ( User user ) throws UnauthorizedException { if ( user == null ) { throw new UnauthorizedException ( "Invalid credentials" ); } Email response = new Email (); response . setEmail ( user . getEmail ()); return response ; } -
Deploy the API . You need to redeploy the API whenever you add new clients.
