4

I'm using Android Studio to generate Google Cloud Endpoints for an Android app. I've deployed the endpoints and they work ok.

What I want to achieve is to enable access to the endpoints only to my app. All the documentation talks about how to enable authentication for users but I only need to restrict the access to the endpoints only from my app. I don't want to use user credentials because the api does not use that.

What I tried is creating a client ID for my app in the Google Console and adding to the APi annotation

@Api(name = "messageEndpoint", clientIds = {Ids.WEB_CLIENT_ID, Ids.ANDROID_CLIENT_ID, Ids.API_EXPLORER}, audiences = {Ids.ANDROID_AUDIENCE}}

And for each API method, I've added a User parameter and check if the user is null or not. My understanding is that the user should be not null if the API is called from one of the client IDS. But user is always null.

Am I missing something?

In my Android app I have

GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(DelegateActivity.this, "server:client_id:" + Ids.ANDROID_AUDIENCE);
MessageEndpoint.Builder endpointBuilder = new MessageEndpoint.Builder(
                        AndroidHttp.newCompatibleTransport(), new JacksonFactory(),
                        credential);

And the exception I am getting is:

java.lang.NullPointerException: [qi] accountName cannot be null.
                        E   at android.os.Parcel.readException(Parcel.java:1431)
                        E   at android.os.Parcel.readException(Parcel.java:1379)
                        E   at com.google.android.gms.internal.a$a$a.a(Unknown Source)
                        E   at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
                        E   at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
                        E   at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential.getToken(GoogleAccountCredential.java:277)
                        E   at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:301)
                        E   at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:854)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
hoss
  • 2,430
  • 1
  • 27
  • 42
Catalin Morosan
  • 7,897
  • 11
  • 53
  • 73

1 Answers1

0

My understanding is that user will be null in the situation you described: authenticating the app and not the user.

If the app authentication fails then your endpoint won't even be called.

I assume that the string "[qi] accountName cannot be null." is from your app?

Tom
  • 17,103
  • 8
  • 67
  • 75
  • So in my app, I should not use GoogleAccountCredential and rely that the API knows that the calls come from the right app? But I can also access the API directly from the web. Is this because I declared a web client id in my endpoint? – Catalin Morosan Jul 27 '13 at 13:49
  • I think that, since your endpoint did get called, whatever you are doing in your client is working fine. Just stop checking for null user on the server. – Tom Jul 27 '13 at 18:17
  • You can create an Endpoint.Builder without credentials as well, just pass null as an argument. If it will work depends on your endpoints app. – drRoflol May 24 '14 at 22:22
  • If you create Endpoint.Builder without credentials then you must remove any check in your API of whether User is null or not. The result of doing that is your API is no longer secure. – Micro Aug 17 '15 at 20:12