When writing applications that communicate to various external services that control user data, one challenge is authentication. The process of integrating authentication into an application is often complicated, and while OAuth2 is generally considered the way to go, any developer who has worked with OAuth can likely confirm that the process of testing and integrating it into an application was not a smooth one. The experience is no different when it comes to the Google Cloud Platform, which allows developers to write applications hosted on its IaaS and PaaS platforms that could in turn talk to multiple platform APIs and services.
Google has taken a huge step toward simplifying this process via Application Default Credentials (ADC). This feature aims to simplify authenticating to multiple Google APIs via a single API call that will cleverly abstract authentication across various mechanisms, thus helping avoid a lot of boilerplate code.
The official documentation explains clearly the scenarios in which you should use ADC and what happens behind the scenes when you want to ensure that the right caller is making the API call. The key to note here is that ADC is well suited to applications where the authentication is project-wide and similar for calls across all Google users. It is not meant to replace authentication for calls to APIs that control data that is specific to a particular user.
Google recommends using ADC if you are running applications on App Engine and Compute Engine, if you want to avoid hard-coding authentication information in source code, and when data is associated with an application scope and not on a per-user basis. Behind the scenes, ADC uses a step-by-step determination of which authentication mechanism is best to use, and that includes checking for authentication information references via environment variables, local authorization available via gcloud SDK, and service accounts for App Engine and Compute Engine applications. This seamless check will simplify life for developers on Google Cloud Platform who often have to access multiple services.
All you need is a single line of code to get the default credentials, as this line of Java code demonstrates:
GoogleCredential credential = GoogleCredential.getApplicationDefault();
Subsequent to getting the credential object, you can use that to access the application services with additional scopes as required by certain resources.
To jump-start the integration of ADC into applications, client libraries have been released for Java, Python, Go, Node.js and Ruby, with PHP and .NET in development. Check out the documentation for more details.