验证我的“应用”到Google Cloud Endpoints而非“用户”的身份

Question

What I'm trying to do is to authenticate my Android app to the Google Cloud Endpoint. Basically the endpoints should only allow my Android app to access the methods and nothing else.

I have done these things -

1. Create a client id using my SHA1 value in Eclipse in the Google Cloud Console.

2. Create a web client id in the Google Cloud Console for my endpoint project.

3. Add both these client id's in the "@Api" mentioned on each endpoint.

4. Add an extra "user" parameter in the endpoint methods.

5. Regenerate and deploy the backend to the cloud.

But when I'm running this the "user" is always coming as "null". I'm at my wits end trying to find a proper working method for doing all this.

I've searched many forums but no proper answers anywhere.

Here's another similar post Restrict access to google cloud endpoints to Android app

This is the reference I'm using - https://developers.google.com/appengine/docs/java/endpoints/auth

Has anyone here done this before? My main goal is to not allow unauthenticated apps and outside world to access the endpoints, for obvious security reasons. I don't want to use end-user based authentication since I want to keep my app very simple.

Answer 1

It sounds like it's working as intended. You control which client apps can call your endpoint methods via the client IDs as you have already done. The User parameter is coming in as null precisely because you aren't doing end-user authentication. The User parameter represents an actual real user (Google Account). So if you don't need end-user authenticated methods, you can just simply not define the User parameter, or else ignore the null value. You said your problem is that the User parameter is set null. What are you expecting it to be in this scenario?

Answer 2

您需要在客户端上调用身份验证，然后您正在使用的库可能会“注入”用户信息。

Answer 3

Here's what worked for me :

Let's say you have the keys below :

static final String WEB_CLIENT_ID = "somekeyfor webclientid.apps.googleusercontent.com";

static final String ANDROID_CLIENT_ID = "somekeyfor androidclientid.apps.googleusercontent.com"; static final String ANDROID_AUDIENCE = WEB_CLIENT_ID;

Your Api anotation should look like this :

@Api(
        name = "yourapiname",
        clientIds = {CloudEndpoint.WEB_CLIENT_ID,CloudEndpoint.ANDROID_CLIENT_ID},
        audiences = {CloudEndpoint.ANDROID_AUDIENCE},
        version = "v1",
        namespace = @ApiNamespace(
                ownerDomain = "myapp.app.com",
                ownerName = "myapp.app.com",
                packagePath = ""
        )
)

In the annotation below, notice how your audience is the variable --> ANDROID_AUDIENCE which is equal to WEB_CLIENT_ID.

Now in your app side, when you create the googleAccountCredential object, you should pass in the Web Client Id like this :

mAccountCredentials = GoogleAccountCredential.usingAudience(getApplicationContext(),"server:client_id:" + "yourwebclientID");

Note that even if this is properly done, your user object in the endpoint might still coming out as Null if the account name you pass in mAccountCredentials.setSelectedAccountName("accontname") does not exist in the device. Therefore make sure the account name you pass does exist in the Android device by going to --> (Settings/Accounts)