How to check service-to-service authentication in

I'm trying to split a monolith Google App Engine application (using Python & standard environment) into several services within one application. Default service is calling API implemented using the Endpoints framework in another service.

Everything works nicely except that I don't understand how to correctly check authentication of the default service (and make it work both in local development server and in production).

To call the service I'm using google-api-python-client and default application credentials.

from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
service = build(
    name, version,
    credentials=GoogleCredentials.get_application_default(),
    discoveryServiceUrl=discovery_url)
service.client_token().execute()

My service API code looks like the following

@endpoints.api(
    name='test',
    version='v1',
)
class TestApi(remote.Service):

    @endpoints.method(
        message_types.VoidMessage,
        TestResponse,
        path='test',
        http_method='GET',
        name='test')
    def get_test(self, request):
        # user = endpoints.get_current_user()
        # if not user:
        #     raise endpoints.UnauthorizedException
        return TestResponse(test='test')

In production endpoints.get_current_user() seems to return a correct application user, but I don't know how to correctly validate that it's the same application. In local development environment endpoints.get_current_user() returns None.

You're doing it wrong. You're defining user, but not using it.

The following example greets a user who has signed in to the app with a personalized message and a link to sign out. If the user is not signed in, the app offers a link to the sign-in page for Google Accounts.

If you use the from google.appengine.api import users module:

def get(self):
    user = users.get_current_user()
    if user:
        nickname = user.nickname()
        logout_url = users.create_logout_url('/')
        greeting = 'Welcome, {}! (<a href="{}">sign out</a>)'.format(nickname, logout_url)
    else:
        login_url = users.create_login_url('/')
        greeting = '<a href="{}">Sign in</a>'.format(login_url)

    self.response.write('<html><body>{}</body></html>'.format(greeting))

When creating a user you still need to check if it's empty or not. Plus user stores different values. So you just need to make a call to them and define them.

If you have pages that require the user to be signed in in order to access, you can enforce this in your app.yaml file.

By default, your app will use Google Accounts for authentication. To choose another option, such as Google Apps domain, go to the settings page for your project in the Google Cloud Platform Console and click Edit. In the Google authentication dropdown menu, select the desired authentication type, and then click Save.

You could however also use the Tipfy framework.