Authenticating Users
To authenticate users in Google Cloud applications, Google offers the followingmethods:
| Authentication Service | Purpose |
|---|---|
| Firebase Authentication | Provides multiple user authentication options including with Google, Facebook, and Twitter. It also supports the largest number of users while maintaining the smallest amount of code. |
| Google Sign-In | Google Sign-In provides Gmail and Google Workspace account sign-in along with support for one-time passwords (OTP). It's the easiest method of supporting Google-only accounts, or supporting Google accounts in an existing sign-in system. |
| OAuth 2.0 and OpenID Connect | OpenID Connect lets you handle and use authentication tokens from the ground up with the most customization. |
| Google Cloud Identity Platform | Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications. This option is ideal for users who want to be their own identity provider. |
| Users API | The Users API is one of the legacy bundled services that is used for authenticating Google and Google Workspace accounts.This built-in API is only available in App Engine. |
| Identity-Aware Proxy (IAP) | IAP lets you control access to your App Engine services, before requests reach your application resources. IAP lets you establish a central authorization layer for applications, and works withsigned headers or the App EngineUsers API to secure your app.Unlike the other authentication services in this table, IAP performs authentication before your app can be reached. The other options on this page, implement authentication in your app. |
Firebase Authentication
Firebase Authentication gives you arobust, secure authentication system-in-a-box that helps you do sign in with anyaccount your users want to use. Firebase Authentication supports passwordauthentication in addition to federated sign-in with Google, Facebook, Twitter,and more, allowing you to easily scale your authentication system as you grow ondesktop and mobile.
Firebase Authentication is the easiest way to set up user authentication for aGoogle App Engine app. To learn more about Firebase Authentication, try thefollowing:
Authenticating Users on App Engine Using Firebaseexplains how to retrieve, verify, and store user credentials on the server.
Firebase Web Tutorialhighlights how to use Firebase on a website, including user sign-in with Googleas the Identity Provider.
Firebase Quickstart Apps showhow to integrate Firebase across platforms, using both federated sign-in andusername/password sign-in examples. Samples demonstrate Firebase Authenticationusing theJavaScript SDKas well as oniOSandAndroid.
Google Sign-In
If you want to provide a Google login button for your website or app, or you'reusing Google Admin console for your domain and you want to authenticate users basedon that login, you can useGoogle Sign-in,which is our sign-in client library built on the OAuth 2.0 and OpenID Connectprotocols.
Google Sign-In is available forWeb Apps,iOS,andAndroid.
OAuth 2.0 and OpenID Connect
Google Sign-in is based on Google's OAuth 2.0 implementation,which conforms to theOpenID Connect specification,and isOpenID Certified.
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, and yourapp can use it toretrieve user profile information.
Identity Platform
Identity Platform provides a drop-in,customizable identity and authentication service for user sign-up and sign-in.Identity Platform supports multiple authentication methods (SAML, OIDC,email/password, social, phone, and custom auth) to provide flexible integrationoptions for any identity solution. Identity Platform is built onGoogle Cloud's global scale, performance, network, and security, and comes withan enterprise-grade support and SLA to meet the demands of virtually any app orservice.
Identity Platform offers its own user identity system. If you're already usingGoogle Workspace for your domain and want to authenticate users based on thatlogin, you should useGoogle Sign-In.
To learn about integrating Identity Platform with App Engine, try thehow-to guide forsigning in users onApp Engine.
Users API
The Users API allows an application to perform the following tasks:
- Detect whether the current user is signed in.
- Redirect the user to the appropriate sign-in page to sign in.
- Request the user create a new Google account if they don't have one already.
While a user is signed in to the application, the app can access the user'semail address. The app can also detect whether the current user is anadministrator, making it easy to implement admin-only areas of the app.
More information is available on theUsers API overview.
Identity-Aware Proxy (IAP)
IAP protects and secures your application by adding anauthentication and authorization layer in front of your resources, forinbound external requests. IAP doesn't protect against activitywithin a project, such as another App Engine service inside the sameproject. Users who are not authorized access to your app can't have access toreach your App Engine app.
IAP-protected services or applications, can only be accessed byprincipalswhich have the correctIdentity and Access Management (IAM) role.When a user tries to access an IAP-secured resource, IAPperforms authentication and authorization checks for you. Learn howIAP secures your application resources on theIAP overview.
You can enable IAP for your whole app, or for specific servicesor versions of your app. See theIAP quickstartto learn how to configure IAP for your App Engineresources.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.