Create Cloud Endpoint credential with Android Google Sigin - google-cloud-endpoints

The following article from Google shows how to create a credential object for interacting with a Google Cloud Endpoints service, using the older account chooser.
https://cloud.google.com/appengine/docs/java/endpoints/consume_android
However, if you are using Google Sign-In, linked below, how do you create the necessary credential object to build the Google Cloud Endpoints Service?
https://cloud.google.com/appengine/docs/java/endpoints/consume_android

Related

What API restriction do I have to whitelist in order to use Firebase Cloud Messaging?

I am currently using Firebase in iOS app with flutter framework.
The default Google Cloud API key created by firebase has unrestricted access to APIs, so I want to restrict it to certain APIs that my app uses for security reasons.
However, after making API restrictions, almost all firebase related components work fine, but the app does not seem to be able to get Firebase Cloud Messaging Token (e.g. FirebaseMessaging.getToken() call fails). The app suppose to retrieve this token and send it to the backend server such that the server can send FCM messages, but when this call is made, it just hangs for a while and returns null.
When my app key has unrestricted access to APIs, it retrieves FCM token fine, but as soon as I restrict it, it fails to retrieve the token.
I currently have whitelisted following APIs for the Firebase iOS App Key.
Identity Toolkit API
Token Service API
Firebase Remote Config API
Firebase Dynamic Links API
FCM Registration API
Firebase Cloud Messaging API
I have gone through other API list and they do not seem to be related to Firebase Cloud Messaging at all, so I did not select anything else, so I am stuck. Has anyone else encountered this problem when they tried to restrict Firebase API key?
(I am attaching the full API permission list below.)
App Engine Admin API
BigQuery API
BigQuery Storage API
Cloud Build API
Cloud Datastore API
Cloud Debugger API
Cloud Deployment Manager V2 API
Cloud DNS API
Cloud Firestore API
Cloud Functions API
Cloud Logging API
Cloud Messaging
Cloud Monitoring API
Cloud OS Login API
Cloud Pub/Sub API
Cloud Resource Manager API
Cloud Run API
Cloud Runtime Configuration API
Cloud Scheduler API
Cloud Source Repositories API
Cloud SQL
Cloud SQL Admin API
Cloud Storage
Cloud Tasks API
Cloud Testing API
Cloud Trace API
Compute Engine API
Container Registry API
FCM Registration API
Firebase App Distribution API
Firebase Cloud Messaging API
Firebase Dynamic Links API
Firebase Extensions API
Firebase Hosting API
Firebase Installations API
Firebase Management API
Firebase Mods API
Firebase Remote Config API
Firebase Rules API
Google Cloud APIs
Google Cloud Storage JSON API
Google Play Android Developer API
IAM Service Account Credentials API
Identity and Access Management (IAM) API
Identity Toolkit API
Kubernetes Engine API
Legacy Cloud Source Repositories API
Maps Embed API
Maps JavaScript API
Maps SDK for Android
Maps SDK for iOS
Maps Static API
Mobile Crash Reporting API
Service Management API
Service Usage API
Stackdriver API
Street View Publish API
Street View Static API
Token Service API
You have to additionally white-list the Firebase Installations API.
Details can be found here:
https://github.com/firebase/firebase-android-sdk/blob/master/firebase-installations/API_KEY_RESTRICTIONS.md

How to integrate a google service account in a firebase project directly?

I am trying to integrate a google service account to a firebase project for a web application.
How can I integrate it to firebase project directly(to the backend) so that I can use APIs without API-key
By using Firebase in your project, you get access to a set of client-side APIs that you can use directly in your application without needing to include the Google Service Account. Most Firebase products rely on a separate user-authentication mechanism, and their own server-side security rules language to control what data each user has access to. So there should be no need to include the Google Service Account credentials in your application code.
If you have a specific Google API for which no Firebase SDK exists, you can call that API from something like Cloud Functions. In Cloud Functions you can securely use your service account, and then expose just the required functionality to your application code.

Login for Google Cloud Endpoints portal page without Google account

I have found the tutorial Using Firebase to authenticate users that explains how to authenticate users with Firebase to access different services.
However I haven't found how to enable Firebase login for the whole Google Cloud Endpoints portal page (like for example https://endpointsportal.ourproject.cloud.goog/).
How can I achieve this?
I think the only identity supported today is GCP meaning Cloud Endpoints Portal doesn't support 3rd party sign in. You can use Firebase to authenticate against the API, but not to log into the portal.

generating access token in Cloud Functions for service-service auth

I am trying to establish service-service authentication between Cloud Functions and Cloud Endpoints.
I am trying to send a HTTP request inside a Firebase Cloud Function to my API running on Google App Engine and managed by Google Cloud Endpoints.
As stated in google docs, the service account that Firebase Cloud Functions uses is ____#cloudservices.gserviceaccount.com
I added that issuer in the security definition of my openAPI config(cloud endpoints). However, I could not find a way to create an access token in Cloud Functions of that service account.
How can I generate an access token in Cloud Functions to authenticate itself to Cloud Endpoints? How am I supposed to sign the JWT on cloud functions to request an access token?
Use Application Default Credentials.

Authentication Issue : Google Cloud Endpoints with Firebase

We have implemented Firebase Google Authentication With Google Cloud Endpoints in our APIs . The code is going fine with all the APIs of our project.
But we are also using the Picker API JavaScript Library: https://developers.google.com/picker/docs/ .
So when we attach any document from our drive, the Picker API prompts the Google sign-in once again, which is not done via Firebase but is the default one provided by the Picker API. The token returned for the same user via this Picker API is not the same as the ID token returned by the Firebase login. This makes the login not able to verify this user.
We are using this token to verify the Firebase one:
user = google.oauth2.id_token.verify_firebase_token(id_token, HTTP_REQUEST)
This gives us a 401 Unauthorized Error and our logs read the following :

Resources