Authenticating users
To authenticate users in Google Cloud applications, Google offers the followinguser authentication methods:
| Authentication Service | Summary |
|---|---|
| Identity Platform(recommended) | Authenticate users using passwords, phone numbers, popular federated identity providers like Google, Facebook, Twitter, and any provider that supports SAML or OpenID Connect protocol. It offers enterprise features including multi-factor authentication, OIDC and SAML SSO support, multi-tenancy, 99.95% SLA, and more. The recommended method when starting a new project, so you can usethe capabilities of Identity Platform as well as the legacy features from Firebase Authentication. |
| Firebase Authentication | Authenticate users by using different authentication options including with Google, Facebook, and Twitter. Firebase Authentication supports the largest number of users while maintaining the smallest amount of code. The recommended method for deploying a solution in the fewest steps. |
| Google Identity Services for Web | Authenticate users by using Google user accounts from Gmail and Google Workspace. The recommended method for supporting Google-only accounts, or supporting Google accounts in an existing sign-in system. |
| OAuth 2.0 and OpenID Connect | Provides federated identity from theprovider of your choice, including Google. The recommended method if you want to build the user authentication protocol yourself. |
| Identity-Aware Proxy (IAP) | Provides authentication by adding an Identity and Access Management (IAM) verification layer above your App Engine app. IAP lets you control access to your App Engine services, before requests reach your application resources. This makes IAP unsuitible for protecting against activity within the same Google Cloud project. The recommended method if you want to use Google accounts and IAM to control user access. |
| Users API | Authenticate users that are using Google and Google Workspace accounts. The App Engine Users service is accessible only through the legacy bundled services. |
Identity Platform
Identity Platform is a customeridentity and access management (CIAM) platform that lets organizations customizeidentity and authentication for user sign-up and sign-in in their applications.Identity Platform supports multiple authentication methods (SAML, OIDC,email/password, social, phone, and custom auth) to provide flexible integrationoptions for any identity solution. Identity Platform is built onGoogle Cloud's global scale, performance, network, and security, and comes withan enterprise-grade support and SLA to meet the demands of virtually any app orservice.
This solution is best for most users who want flexible authentication optionsbased on reliable, enterprise-grade features and SLAs.
Identity Platform offers its own user identity system. If you're already usingGoogle Workspace for your domain and want to authenticate users based on thatlogin, you should useGoogle Identity Services for Web.
To learn about integrating Identity Platform with App Engine, try thehow-to guide forsigning in users onApp Engine.
Firebase Authentication
Firebase Authentication provides adrop-in, customizable identity and authentication service for user sign-up andsign-in. Similar to Identity Platform, Firebase Authentication supports multipleauthentication methods (SAML, OIDC, email/password, social, mobile, and customauth) to provide flexible integration options for any identity solution.
Firebase Authentication differs from Identity Platform in that it lacks certainenterprise features. For more information, seeDifferences between Identity Platform and Firebase Authentication.
This solution is best if you want the most lightweight way to set up userauthentication for an App Engine app. For many users, Firebase Authenticationis the fastest way to implement or test authentication.
To learn more about Firebase Authentication, try the following:
Firebase Web Tutorialhighlights how to use Firebase on a website, including user sign-in with Googleas the Identity Provider.
Firebase Quickstart Apps showhow to integrate Firebase across platforms, using both federated sign-in andusername/password sign-in examples. Samples demonstrate Firebase Authenticationusing theJavaScript SDKas well as oniOSandAndroid.
Google Identity Services for Web
Google Identity Services for Webis a sign-in client library for Google built on the OAuth 2.0 and OpenID Connectprotocols. It allows for quick and easy sign-in by providing a Sign in WithGoogle button that appears on your website or app.
This solution is best if you want to authenticate users based on their GoogleAccount, or if you are using Google Admin console for your domain.
OAuth 2.0 and OpenID Connect
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. Googleoffers animplementationof OAuth 2.0 that conforms to theOpenID Connect specification and isOpenID Certified. There are also severalother providersavailable.
This solution is best if you want total customization and control of yourauthentication implementation.
For more information, seeOpenID Connect.
Identity-Aware Proxy (IAP)
Unlike the other authentication options that implement authentication withinyour app,IAP protects and securesyour application by adding an IAM authentication andauthorization layer in front of your resources. This layer verifies inboundexternal requests before the app can be reached. Users who are not authorizedaccess to your app can't have access to reach your App Engine app.
You can enable IAP for your whole app, or for specific servicesor versions of your app. IAP-protected services or applicationscan only be accessed byprincipalswhich have the correctIAM role.When a user tries to access an IAP-secured resource,IAP performs authentication and authorization checks for you.Learn how IAP secures your application resources on theIAP overview.
IAP doesn't protect against activitywithin a project, such as one App Engine service accessing anotherservice in the same project.
This solution is best if you want to use Google user accounts andIAM to authorize user access.
To learn how to configure IAP for your App Engineresources, see theIAP quickstart.
Users API
Note: The Users API is only supported for Python,Java, Go, and PHP apps thatuse thelegacy bundled services.The Users API allows an App Engine app to perform the following tasks:
- Detect whether the current user is signed in using a Google Account.
- Redirect the user to the appropriate sign-in page to sign in.
- Request the user create a new Google Account if they don't have one already.
While a user is signed in to the application, the app can access the user'semail address. The app can also detect whether the current user is anadministrator, making it easy to implement admin-only areas of the app.
This solution works well if you are upgrading an existing app from afirst-generation runtime to a second-generation runtime, and want to continueto use the Users API. If you want the flexibility of moving toCloud Run or another Google Cloud app hosting platform later on,we recommend migrating to a more modern user authentication solution.
To learn about integrating the Users API, see theUsers API overview.
Other authentication services
Auth0 provides authentication with various identityproviders and single sign-on features.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.