0

Earlier our client side apps used Google Sign-In.

Now we are moving to custom auth, as we plan on having the user's phone number as the only identity (instead of a Google Account). But after implementing the custom Authenticator, the client IDs are not being checked and I am able to make API calls from anywhere.

When only Google Sign-in was being used at the client side, the client ID was being validated and I was not able to make API calls from any clients other than the ones authorized.

How do I verify the Client IDs while using custom authenticator?

Code for the Api Endpoint

@Api(name = "apiSubscriber",
        clientIds = {
        Constants.webClientId,
        Constants.androidClientId,
        Constants.iOSClientId
        },

        authenticators = {com.google.api.server.spi.auth.EndpointsAuthenticator.class, 
        CustomAuth.class},
        audiences = {Constants.androidAudience},
     )

     public class ApiSubscriber {

            @ApiMethod
            public Subscriber getSubscriberData(User user){

                if(user!=null){
                //fetches subscriber data
                }

            }

        //... Other ApiMethods

     }

Code for Custom Authenticator

public class CustomAuth implements Authenticator {


    @Override
    public User authenticate(HttpServletRequest request) {

         String phoneNumber = request.getHeader("phoneNumber");
         String token = request.getHeader("Authorization");

         if(checkToken(phoneNumber,token)){
                return new User(phoneNumber);
         }

         return null;
    }

    private boolean checkToken(String phoneNumber, String token){
        //Checks if authorization token is valid
    }


}
KrisPrajapati
  • 198
  • 7

2 Answers2

1

Unfortunately at this time, it does not appear that you can restrict your Endpoints API to a client and not use Google Sign in.

When using Google's oAuth2 authentication some magic voodoo happens (not exactly sure what) and apps get restricted to the ClientId's that you specify.

However, when you stop using that authentication method, I have found (to my dear disappointment), that it does not work anymore.

See my question here where you can read about my tests and some additional things that may give you more information: Authenticating your client to Cloud Endpoints without a Google Account login

Community
  • 1
  • 1
Micro
  • 10,303
  • 14
  • 82
  • 120
0

I don't sure is it a problem, but you have some bugs in code you provided. 

 authenticators = {com.google.api.server.spi.auth.EndpointsAuthenticator.class, 
    CustomAuth.class,

instead of comma must be bracket. Also, imho, you need only CustomAuth class here. 

audiences = {Constants.androidAudience},

comma is redundant.

Second. You don't required to use custom Authenticator. You can send token and phone number as concatenated parameter or two parameters to your service method and check it there.

Yuriy N.
  • 4,936
  • 2
  • 38
  • 31
  • My bad with the missing bracket, must have accidentally deleted it while posting here on SO. Also, parameters are URL encoded in the HTTP requests (as most of my endpoints use GET), but with Authenticator I can pass them in the header. Either way, when not used with Google Sign-in any client can make the API call and hence it does not answer my question. – KrisPrajapati May 26 '16 at 16:25
  • Finally, i have understood the question. Better late. – Yuriy N. May 29 '16 at 07:47
  • My guess that api is called anyway from any client even if Google Sign in is used. But in such case Unauthorized exception is thrown BEFORE you can see request in your code. How they have implemented it? I think that gapi (or android/iphone client) when loaded just requests client id from server or have it hardcoded as it is generated by Google plugin, anyway it has clientId and sends it to server with every request. – Yuriy N. May 29 '16 at 07:58