1

I have a simple Google App Engine backend (written in Python) for an Android client. All the backend is responsible for is accepting a key and returning a value; it is a classifier in general, implemented simply by looking up the key in a Cloud SQL table, though this specific behavior will change in the future.

The backend and client communicate via Google Cloud Endpoints. I want to restrict access to my backend's API to only accept requests incoming from my client, and am wondering if OAuth 2.0 is really the way to do this.

I don't need any contextual or extra information from the user, and as such, don't want to have user action to grant any type of authorization. All I need to do is be certain the request came from my app. I was considering simply generating a static key and hardcoding it in my client and backend, but I thought there must be a more elegant way to do this.

TL;DR: How can I restrict access to my backend only to my client/app without needing user context/input, by OAuth 2.0 or otherwise?

thegeebe
  • 625
  • 1
  • 6
  • 17
  • Found a good explanation of this [here](http://stackoverflow.com/questions/21825175/how-do-i-restrict-google-app-engine-endpoints-api-access-to-only-my-android-appl?lq=1) – thegeebe May 20 '14 at 15:18

1 Answers1

0

I don't know if the OP solved their problem but I am posting this here for others. I have wasted quite a few hours on this particular issue.

Steps :

1.Create an oAuth 2.0 client ID for your Android client.

2.Specify the Client IDs in the allowed_client_ids argument of the endpoints.api. In this case (Android), supply both its Android client ID and a web client ID in allowed_client_ids.

3.Supply the audiences argument as well in endpoints.api which is set to the web client ID.

4.Add a user check to the protected methods.

5.Redeploy the API backend.

6.Regenerate the client libraries.

Mayur
  • 11
  • 3