IssueTracker

Cloud Endpoints is set up to validate a JWT token against a public key.  Assuming that Cloud Endpoints is intended to be called directly from your browser this is forcing you to use an Implicit grant (not recommended in most cases).

Given that a major audience of Cloud Endpoints will be single-page web clients, the generally accepted OAuth grant type to use would be an Authorization Code grant.

I have opened an Enterprise support case (17470339) to confirm that this is not currently an option using Cloud Endpoints and that they're not aware of any existing feature request for this behaviour.

I like that Cloud Endpoints primarily authenticates using JWT tokens.  It allows my microservices to pass around the OIDC userinfo without repeated trips to the authentication server (as they would using a non-JWT token).  However, I'm not comfortable having to acquire and store that JWT in my browser.

Given that GCP's load balancers support Session affinity[1] you could maybe cache the session's access (and refresh?) tokens on each ESP (rather than manage a distributed cache).

I'm not familiar with the practice of using JWTs as access tokens (though I'm aware that it's an option).  If you're going to rely on this mechanism, you might want to double check that most auth servers support it or that the ESP is configurable to use the ID token instead.

[1] https://cloud.google.com/load-balancing/docs/https/#session_affinity