2

I'm new to the Google App Engine, and I'm trying to make my first engine and connect it to my Android app. I have walked through this tutorial in order to learn about it:

https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/helloendpoints-android-studio

I got it to work fine. I can access my app engine from my android app, and get the wanted response. The problem is, I want to restrict the endpoints of my API to my app's users only.

This is my API method (from the tutorial), and as for now, everyone can access my api's explorer and execute methods in it, as long as they are logged in to any Google account.

I want the users to be able to execute this method from my app only.

This is my app engine java file:

package com.example.Barda.myapplication.backend;

import com.google.api.server.spi.config.Api;
import com.google.api.server.spi.config.ApiMethod;
import com.google.api.server.spi.config.ApiNamespace;
import com.google.api.server.spi.response.UnauthorizedException;
import com.google.appengine.api.users.User;

import javax.inject.Named;

/**
 * An endpoint class we are exposing
 */
@Api(

        name = "myApi",
        version = "v1",
        clientIds = {Constants.ANDROID_CLIENT_ID},
        audiences="firebase-wiki-race.appspot.com",
        namespace = @ApiNamespace(
                ownerDomain = "backend.myapplication.Barda.example.com",
                ownerName = "backend.myapplication.Barda.example.com",
                packagePath = ""
        )

)
public class MyEndpoint {
    /**
     * A simple endpoint method that takes a name and says Hi back
     */
    @ApiMethod(name = "sayHi")

    public MyBean sayHi(@Named("name") String name) throws UnauthorizedException {

      //  if (user == null) throw new UnauthorizedException("User is Not Valid");

        MyBean response = new MyBean();
        response.setData("Hi, " + name);
        return response;
    }

}

This is constants class:

package com.example.Barda.myapplication.backend;

/**
 * Contains the client IDs and scopes for allowed clients consuming your API.
 */
public class Constants {
    public static final String ANDROID_CLIENT_ID = "*********************.apps.googleusercontent.com";

}

I have generated using my app's SH-1 and package name the ANDROID_CLIENT_ID.

I have searched online a lot, and read blogs and threads, but I couldn't make it work. Is this a possible thing to do? What am I doing wrong?

Tal Barda
  • 4,067
  • 10
  • 28
  • 53

1 Answers1

0

You'll want to follow the documentation's guide on adding authorization to the API backend. In this process you define a list of clients that are authorized to use your Endpoint.

Once that's done you can follow the guide on making authenticated calls from Android.

Yannick MG
  • 786
  • 9
  • 19
  • Do I have to use authenticated calls in order to allow calls from my app only? I have read the first link you sent and it is in my code. Are you sure the second link is necessary for what I'm trying to do? And also, in the first link it is written that:" For an Android app, you must supply both its Android client ID and a web client ID in clientIds" but I don't have a web client, just Android app. – Tal Barda Jun 02 '17 at 12:40
  • Yes, the only way to restrict access to your API is to use a form of authentication. This being said you can [create a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and authenticate it [using a private key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) from your Android app. The code from the second link simply gives an example of how to make authenticated calls. Finally you'll need to create a set of Web Client credentials on top of the Android ones for the Android Audience, which is required. – Yannick MG Jun 02 '17 at 13:35
  • I didn't know what is my Web Client ID, but I found the answer for it here:https://stackoverflow.com/a/34158187/7483311 it was my missing part. I have followed both of the links and it worked. – Tal Barda Jun 02 '17 at 15:40