3

One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.

I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:

If your iOS app is making calls to an Endpoint that requires authentication, you must Add a Sign-in Dialog to your iOS client.

I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.

Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.

Community
  • 1
  • 1
Drux
  • 11,992
  • 13
  • 66
  • 116
  • [related](http://stackoverflow.com/questions/23337938/google-endpoints-and-public-api-key) – Drux Jun 28 '14 at 13:42
  • also [related](http://stackoverflow.com/questions/16748061/simple-access-api-developer-key-with-google-cloud-endpoint-python) – Drux Jun 28 '14 at 14:00
  • also [related](http://stackoverflow.com/questions/24028160/how-to-allow-access-to-app-engine-backend-from-ios-app-only) – Drux Jun 28 '14 at 15:24

1 Answers1

1

I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.

I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).

GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.

So until further notice I will add an API key to my application-level API requests and check it in each @ApiMethod.

Alex Bitek
  • 6,529
  • 5
  • 47
  • 77
Drux
  • 11,992
  • 13
  • 66
  • 116
  • I have also the same error than you (Access Not Configured. Please use Google Developers Console to activate the API for your project). How did you do ? Did you put an own API Key in your IOS code ? – Phil Nov 17 '15 at 15:09
  • @Phil Yes, at this time I'm passing an API key as part of my application-level protocol. – Drux Nov 17 '15 at 18:19
  • @Phil Not sure what you mean by clear. The connection is over HTTPS. FWIK Google's API key would be conveyed in an HTTP header, i.e. in "clear" as well. – Drux Nov 17 '15 at 19:29