Google Cloud Endpoints and User's Authentication

Authorization in Google Cloud Endpoints for external clients

You are on the right way!

  • With firebase, the JS library allow you to authenticate to the correct identity provider and the lib also allows you to generate a JWT. No private key needed here!
  • With custom method, it's different. Cloud Endpoint need to validate the signature of the JWT. For this, Cloud Endpoint need to know the public key of the private key used to sign the JWT. Most of time, it's provided by your own IdP system.

In your context, Firebase auth (or Cloud Identity Platform, if you want to manage your users on Google Cloud) is the best solution for you. With several customers, you can't register all their public keys, the only one solution is to have your own IdP and all your customer registered on it.

I have additional question: How do you plan to count the number of request per client? Through Cloud Endpoint or you own database?

User Authentication for Identity Platform + API Gateway

Turns out that using the Firebase authentication method mentioned in the documentation works (i.e. add the firebase security definition).

Is it possible to use Google Cloud Endpoints built in authentication with Google+ Domains API?

So, your use-case is:

  • your users authenticate to your app, granting the basic userinfo.profile scope needed to get the com.google.appengine.api.users.User object properly received in your endpoints API
  • you persist these User objects to the DB, and when you retrieve them to display the thread they commented in, you'd like to make a call to the google+ API people.get method to retrieve their avatar image URL

The solution: if your users were presented with an oauth flow that had them grant the scope required for the google+ API call (the profile scope) in addition to the regular endpoints "userinfo.profile" scope, it should be no problem to call the Google+ API, either from the JS client or from the Java back-end, using the Google API client libraries, after going through that flow to obtain the credentials.

In order to avoid re-authenticating them each time, you should serialize and store a credentials object from the language in question, or you could even simply keep track of the refresh token for their grant and go through the low-level OAuth dance to obtain a fresh access token (you'll probably want to do the former, as it does this for you).

As noted elsewhere on the web (in several other places as well), the userid from the User object is not the same as the Google+ profile id, so be aware of that when working with the endpoints method parameter User objects. You therefore won't be able to use the userid from the User object to call people.get.

Instead, you should store the Google+ profile ID of the user at the time that they first signed-in or at least went through the oauth flow that granted the necessary Google+ scope, alongside the User object you've already been using. You'll have to use the (de)serialized credentials objects or refresh/access tokens to call the Google+ API, once you retrieve the Google+ profile id from each user's data model in your storage (whatever solution you use, from Datastore to SQL, etc.)

Google Cloud Endpoints and user's authentication

You can supply your own authenticator to Endpoints and the injected User will be obtained with your authenticator
https://developers.google.com/appengine/docs/java/endpoints/javadoc/com/google/api/server/spi/config/Authenticator.html.

The Facebook credentials can be sent via a header, e.g. Authorization header and it can be accessed from backend via HttpServletRequest, which you can handle inside Authenticator.authenticate method.

For example.

// Custom Authenticator class
public class MyAuthenticator implements Authenticator {
  @Override
  public User authenticate(HttpServletRequest request) {
    String token = request.getHeader("Authorization");
    if (token != null) {
      String user = authenticateFacebook(token);  // apply your Facebook auth.
      if (user != null) {
        return new User(user);
      }
    }
    return null;
  }
}

// Endpoints class.
@Api(name = "example", authenticators = {MyAuthenticator.class})
public class MyEndpoints {
  public Container getThing(User user) {
    Container c = new Container();
    if (user != null) {
      c.email = user.getEmail();
    }
    return c;
  }

  public class Container {
    public String email;
    public String extraData;
  }
}

Does Cloud Endpoint support authentication via cookie?

According with this page, the custom authentication is based on OAuth2 (OIDC) and a JWT token must be sent for performing the authentication

You can use other authentication platforms to authenticate users as long as it conforms to the JSON Web Token RFC 7519.

The authentication by custom cookies isn't supported. However, Cloud Endpoint (ESP) has been open sourced earlier this year and you can contribute to the project if you want this feature; or at least create a feature request

API Authentication with Google Cloud Endpoints

ESP cannot run in front of your application on App Engine Standard the same way it can on App Engine Flex. That mostly has to do with the difference in architectures of those runtimes --- App Engine Flex is based on deploying containers (including multiple at a time), whereas App Engine Standard does not currently support multi-container deployments.

Because of this, we have the Endpoints Frameworks that add similar functionality as a library for applications based on App Engine Standard --- but this is only supported for the Python and Java runtimes.

Unfortunately, this means that if you're sticking with the combination of Node + App Engine Standard, there isn't currently a way to use Cloud Endpoints.

Firebase authentication from Google Cloud Endpoint

If you want your Cloud Endpoint to authenticate with Firebase as "itself", you can mint a custom token and pass that into authWithCustomToken. See this page in the docs: https://www.firebase.com/docs/android/guide/login/custom.html

The process is similar to what Jenny described for Node.js in How do you authenticate a server to Firebase?


Related Topics

Can an Android App Connect Directly to an Online MySQL Database

Display Fragment Viewpager Within a Fragment

Android ==> Memory Analysing ==> Eclipse Memory Analyzer

Gles10.Glgetintegerv Returns 0 in Lollipop Only

Failed to Allocate Memory: 8

Any Way to Run Shell Commands on Android Programmatically

How to Receive a Notification When the User Powers Off the Device

Error Referencing an Inner Class View in Layout/Main.Xml

Android Getlastknownlocation Returns Null

CSS - Sibling Selector Not Working in Android

How to Programmatically Set the Layout_Align_Parent_Right Attribute of a Button in Relative Layout

Usb Device Access Pop-Up Suppression

Android Saving Created Bitmap to Directory on Sd Card

How to Send Http Post Request and Receive Response

Listing All Extras of an Intent

How to Rename the Android Package Name

How to Know When an Edittext Loses Focus

Java.Lang.Nosuchmethoderror: No Static Method Getfont(Landroid/Content/Context;Ilandroid/Util/Typedvalue;Ilandroid/Widget/Textview;)


Leave a reply



Submit