Introduction

JWTs issued by Descope, as an OAuth 2.0-compliant provider, can easily be intergated to work with and protect existing GCP API Gateway endpoints. This integration helps provide a secure way to manage access to your application services.

If you're utilizing Descope for authentication and wish to protect your GCP API endpoints using Descope JWT tokens, you can set up a security mechanism in GCP API Gateway to validate these tokens. This involves configuring a service that can verify the JWTs against the expected issuer and audience, as well as the token's signature. The steps below will guide you through the process of making your Descope JWTs compatible with GCP API Gateway, including setting up the necessary components on Google Cloud.

This set of instructions is based on an example API which you can create by following along with the steps outlined in this Google guide to create an example API. The process should be the same for previously created custom APIs, so if you already have one you can skip to the next section to add the necessary security policies for Descope JWT tokens.

Setting Up JWT Validation in GCP API Gateway

To use Descope JWTs with GCP API Gateway, you need to follow the steps below:

  1. Ensure your Descope JWTs provide the correct Issuer URL in them by selecting the appropriate settings in your Descope Project Settings to include the necessary claims for GCP compatibility.
Enable API Gateway compliant JWT in Project Settings
This adjustment ensures the Issuer (iss) claim in the Descope JWT aligns with what GCP API Gateway expects, including the project ID and a recognizable issuer URL format.
  1. Create an API configuration if you have not already done so. You can follow the steps in the Google guide, in order to do this.
  2. Navigate to the Google Cloud Console and define a new security scheme for your API Gateway that specifies JWT validation parameters. You'll need to define this using your own custom Auth ID. You can add this to your pre-existing GCP API config.
 securityDefinitions:
   your_custom_auth_id:
     authorizationUrl: "https://api.descope.com/oauth2/v1/authorize"
     flow: "implicit"
     type: "oauth2"
     # YOUR_DESCOPE_PROJECT_ID should be the Project ID from the Descope Console under Project Settings
     x-google-issuer: "https://api.descope.com/YOUR_DESCOPE_PROJECT_ID"
     x-google-jwks_uri: "https://api.descope.com/YOUR_DESCOPE_PROJECT_ID/.well-known/jwks.json"
  1. Finally, add a security section at either the API level to apply to the entire API, or at the method level to apply to a specific method. Make sure these changes are saved and your API is re-deployed.
 security:
   - your_custom_auth_id: []
Now, you should be able to only make authenticated requests to your API. To verify that the setup is working correctly, you can send a CURL request with a valid Descope JWT in the Authorization header, like the following example:
curl --request POST \
  --header "Authorization: Bearer ${DESCOPE_ACCESS_TOKEN}" \
  "https://${YOUR_GCP_PROJECT}.appspot.com/airportName?iataCode=SFO"

Conclusion

Integrating Descope JWTs with GCP API Gateway allows you to control access to your APIs effectively, ensuring that only authenticated users through Descope can access your services.

For further assistance with Descope or JWTs on GCP, feel free to reach out to our support team!