Set up your Food Ordering web service

The Food Ordering service uses JSON messages to communicate with your web service and handle the processing, confirmation, and updates to food orders. The Google service posts messages to a URL endpoint that you define as part of your Food Ordering web service.

In designing your Food Ordering web service, you must define a URL endpoint that receives request messages from the Food Ordering service and can send messages back to the Google service. Your implementation must meet the following requirements:

  • Your web service must be able to receive a JSON message as a POST request from the Food Ordering service.
  • Your web service must provide a publicly accessible URL endpoint, called the Fulfillment URL, which you specify in the Actions console. The Fulfillment URL is used for checking out and submitting orders. Your implementation must handle both types of requests.
  • Your web service must be able to verify messages from Google using the Message verification method described below.
  • Your implementation of the URL endpoint must be able to handle both checkout and order fulfillment with a single endpoint. You cannot have one URL endpoint for checkout and a separate endpoint for ordering submission.

Authorization and verification

The following sections describe how to implement authentication and verify messages from Food Ordering.

Google Authorization library

In order to verify messages from Food Ordering and to generate authorization codes for messages your web service sends to Google, use the Google Auth Library in the programming language of your choice:

Download and add one of these libraries to your web service implementation code.

Message verification

Requests to your web service that come from the Food Ordering service contain a signed JSON Web Token (JWT) in the Authorization header for security. The token is generated by a shared authorization service that can be called by both Google and your Food Ordering web service.

The process of verifying requests follows these steps:

  1. When you create a project in Actions console for your Food Ordering service, the console assigns your project a project ID. For more details, see the Create project instructions.
  2. Google generates a signed JWT using the authorization service and the project ID for your Food Ordering service project. Google sends that signed token in the Authorization header of every request to your web service.
  3. Your web service decodes the signed token using the authorization service. The decoded token contains details such as the project ID, issuer, expiration time, and issued time. Use this data to determine the authenticity of the request.

Verifying messages

You should verify the authenticity of any message to your Food Ordering web service. Use the shared authorization service and authorization libraries to decode and verify the signed JWT provided with messages to your Food Ordering web service.

To implement request verification for your project, follow these steps:

  1. Extract the JWT from the Authorization header of incoming requests.
  2. Decode the token using the Google Auth Library.
  3. Set the audience of the token to your project ID.
  4. Verify the issuer, project ID, and other information contained in the token payload for accuracy.
Request verification examples

The following examples demonstrate how to implement request verification:

Node.js

const auth = require('google-auth-library')
const authClient = new auth.OAuth2Client()

/**
 * Verifies that an incoming request came from Google.
 * @param {String} idToken - The ID token used to verify the request
 * (i.e. The value found in the Authorization header of an incoming request).
 * @param {String} audience - The expected audience of the request
 * (i.e. The project ID for your project).
 * @return {boolean} True if request came from Google, false otherwise.
 */
function isRequestFromGoogle(idToken, audience) {
  authClient.verifyIdToken({idToken, audience}, (err, info) => {
    return !(err || info['iss'] !== 'https://accounts.google.com')
  })
}
    

Python

from google.oauth2 import id_token
from google.auth.transport import requests

def isRequestFromGoogle(audience, token):
    """ Verifies that an incoming request came from Google.

    Args:
        audience (str): The expected audience of the request
                        (i.e. The project ID for your project)
        token (str): The ID token used to verify the request
                     (i.e. The value found in the Authorization
                     header of an incoming request)
    Returns:
        True if the request came from Google, False otherwise.
    """
    id_info = id_token.verify_oauth2_token(token, requests.Request(), audience)
    return id_info['iss'] == 'https://accounts.google.com'
    

Java

/**
 * Verifies that an incoming request came from Google.
 * @param audience The expected audience of the request
 *                 (i.e. The project ID for your project)
 * @param token The ID token used to verify the request
 *              (i.e. The value found in the Authorization
 *              header of an incoming request)
 * @return {@code true} if request is from Google, else {@code false}
 */
public boolean isRequestFromGoogle(String audience, String token) {
  GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier
      .Builder(transport, jsonFactory)
      .setAudience(Collections.singletonList(audience))
      .build();

  GoogleIdToken idToken = verifier.verify(token);
  if (idToken == null) return false;
  Payload payload = idToken.getPayload();
  String issuer = (String) payload.get("iss");
  return issuer.equals("https://accounts.google.com");
}