0

Background

I believe the recommended way to access Google services from Android is to use the Google APIs Client Library for Java (for some services play services is recommeneded too).

If you want to access your user's account, you use oauth2 to authenticate the user, but things seem less clear if you want to access your own services (eg. I want to access Google Cloud Storage belonging to my app engine project).

The problem with service accounts

What I see a lot of here is using service accounts, and I've used them server-side and found them to be a comparatively simple solution, but this requires you to deploy your private key so I don't think this could be right for public Android apps.

The solution: Public API access

If you go to the 'credentials' page of the cloud console: https://console.developers.google.com/project/[your_project]/apiui/credential
it seems pretty clear that they expect you to use a 'public API access key' for the situation I'm describing. It appears that this is not OAUTH based.

I assume that I will still use the type 'GoogleCredential' for this, but in the documentation for the credential builder I don't see how to do this. The set client functions appear to relate to the oauth2 access (which uses client ID/secret).

The Question

How do I use the 'public API access' key to access Google services from an Android app.

Or, if I'm wrong about service accounts - and they really are the recommended solution, then please show me some evidence of this because it certainly apppears to me that they are not the right solution for publicly distributed apps.

Tom
  • 17,103
  • 8
  • 67
  • 75

1 Answers1

0

The good news is that it's very much easier. You can either use a Service Account (ie. a brand new account dedicated to your app) or a regular account.

For a service account you embed the key in your app, for a regular account you embed a refresh token in your app. In both cases, be aware of the security risk and use the minimal scope necessary.

You can get a refresh token without writing any code by following the steps in How do I authorise an app (web or installed) without user intervention? (canonical ?)

Community
  • 1
  • 1
pinoyyid
  • 21,499
  • 14
  • 64
  • 115
  • But the 'public API keys' that I refer to above - which sound to be clearly intended for this purpose - don't seem to correspond to service accounts, eg. they just provide a string API key, not the downloadable file that everyone uses with service accounts. So how would I use the API key with GoogleCredentials object? – Tom May 15 '15 at 19:31
  • not as clearly as you might think. To access Drive your app must be securely authenticated. That's not possible with a public key, which as the name implies, is somewhat public. So either investigate service accounts, or investigate using a stored refresh token. – pinoyyid May 16 '15 at 00:04
  • But you didn't address the reason that I gave in my question for not wanting the solution that you are suggesting - that distributing a private oauth key for a service account, in a public Android app, is not a good idea. As stated, I already know how to use a service account - I'm avoiding it for security reasons. – Tom May 16 '15 at 01:21
  • It might be worth restating what it is you want to achieve. If you're looking for an Android app to directly access a Google service, it needs to be authed. This can either be done using the typical user-auth mechanisms,or by embedding a credential. There is no other way! Depending on your use case, you might be able to construct something using a proxy web service. – pinoyyid May 16 '15 at 01:55