0

I am developing a REST api, where I need to authenticate the client. I want to authenticate client just the way Google authenticate client, when clients make google map api call.

For google maps case, Google takes Package name and SHA-1 hash and then google provide api key. Using that ApiKey, Android app make calls to Google Map server. And Then they either reject request or return response based on authentication.

Q.1. How does google-map-server authenticate android application, which is making REST call using correct ApiKey to Google Map server?

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
random_user
  • 105
  • 9

1 Answers1

0

This answer is based on Google Directions API. Because Google Map Android SDK does the REST call underneath .getMapAsync(), there is no documentation as to how it's calling it.

I'm assuming it's doing the same REST call used in Google Directions API which is.

It sends the api key via REST query value. https://maps.googleapis.com/maps/api/directions/json?key=API_KEY.

Now I'm not sure about why you want to authenticate your client using an API key.

Israel dela Cruz
  • 794
  • 1
  • 5
  • 11
  • > Now I'm not sure about why you want to authenticate your client using an API key. Because when you generate API key for android device from Google console, it takes app package name and `SHA-1`, let's say you got somebody's API key, Now you want to use that API key in your android app. Now you can't, Because Google won't allow you, As it already Know app which has the permission to use that API key. – random_user Jun 09 '19 at 04:15
  • 1
    That's right API key can limit the use of the API to a certain android app, but its main use is to track the usage of the API. I'm not sure what you want though. Do you want to produce an API key for your client to use? – Israel dela Cruz Jun 09 '19 at 06:50
  • Hey ! I want to know the app authentication part(client which is calling google map server with valid api key). Suppose ! I generated an API key for an android app( `dummy package name` and `dummy-SHA-1`). But Now I am using same Api key in different android app. But Only one call succeed, which is for that app which has package name `dummy package name` and `dummy-SHA-1`. Calls made by other app will fail. I want to know how does google do that even if the API key is correct. – random_user Jun 09 '19 at 08:41
  • It sends the `package name` and `sha1` via headers. `X-Android-Package` and `X-Android-Cert`. `sha1` must be lowercase and have no semicolon. It came from here https://stackoverflow.com/questions/54898496/how-do-i-supply-header-info-such-as-package-name-and-sha1-in-google-api-request. – Israel dela Cruz Jun 09 '19 at 20:40
  • It really helped a lot. By the way thanks for you effort – random_user Jun 10 '19 at 16:32
  • 1
    Note also that Android app restriction (package name and SHA-1) is not supported for REST web services (e.g. Directions API or Distance Matrix API). For REST web services the only supported restriction is IP address: https://developers.google.com/maps/faq#keysystem – xomena Jun 10 '19 at 18:33
  • @xomena I tried it with my Android app package name and sha1 in Postman and it worked for me, for Directions API at least. – Israel dela Cruz Jun 11 '19 at 05:43