Google just announced the Application Default Credentials feature for Google Cloud Platform.
"When you write applications that run on Google Compute Engine instances, you might want to connect them to Google Cloud Storage, Google BigQuery, and other Google Cloud Platform services," writes Vijay Subramani, Technical Program Manager, Google Cloud Platform in a blog post. "Those services use OAuth2, the global standard for authorization, to help ensure that only the right callers can make the right calls. Unfortunately, OAuth2 has traditionally been hard to use. It often requires specialized knowledge and a lot of boilerplate auth setup code just to make an initial API call."
The ADC feature is supposed to make things easier. Google says you'll only need one line of auth code in your app in many cases (Credential credential = GoogleCredential.getApplicationDefault();).
ADC takes all that complexity and packages it behind a single API call. Under the hood, it makes use of:
- 2-legged vs. 3-legged OAuth (2LO vs. 3LO) -- OAuth2 includes support for user-owned data, where the user, the API provider, and the application developer all need to participate in the authorization dance. Most Cloud APIs don't deal with user-owned data, and therefore can use much simpler two-party flows between the API provider and the application developer.
- gcloud CLI -- while you're developing and debugging your app, you probably already use the gcloud command-line tool to explore and manage Cloud Platform resources. ADC lets your application piggyback on the auth flows in gcloud, so you only have to set up your credentials once.
- service accounts -- if your application runs on Google App Engine or Google Compute Engine, it automatically has access to the built-in "service account", that helps the API provider to trust that the API calls are coming from a trusted source. ADC lets your application benefit from that trust.
The new features is available for Java, Python, Node.js, Ruby, and Go. Google says libraries for PHP and .NET are in development.
Image via Google