Twitter login isn't working anymore on my android project and I have figured out that it's because I have restricted my API keys in Google cloud. By default, twitter login makes use of an https request https://<project_name>.firebaseapp.com/__/auth/handler....apiKey=...&providerId=twitter.com&sessionId etc where apiKey is the API key in my google-services.json. Given that I have restricted the API Key to my Android app package name, https requests for twitter login return an error. If I manually edit the url and put the Browser API key, it works fine but this is obviously not a practical solution for production.
Is there a way to tell AuthUI.IdpConfig.TwitterBuilder() to use a specific API Key so that I can pass the default Browser API key.
I have tried to manually edit google-services.json to add the Browser API Key and this fixes the Twitter Log in issue and breaks other calls to the server.
One work around is to have an extra key that your end users can have who you trust and check this via query params.
Const BrowserAPIKey = 'realKeyhere';
Create a unique key and save it as a constant in the function you call Twitter login.
Under the key variable call any URL and append a query param like so e.g. firebaseauth.com/twitter?key=123 and then pluck out the key by calling req.body.key so if you requested the API with a param called key. I.e. save this in another const e.g. const enteredKey = req.body.key. We expect 123 to be the resolved key if things are to work
Check if trusted clients got key right and release Browser API Key based on result:
If enteredKey = 123
// Call Twitter login api with real browser key
https://<project_name>.firebaseapp.com/__/auth/handler....apiKey=BrowserAPIKey...&providerId=twitter.com&sessionId
Assumptions:
This API accepts the browser key via a param called browserkey and spelt exactly that way
The BrowserAPIKey when in step 3 above contains the actual key that clients need to login with
I got in touch with Firebase support and this is expected behaviour if you restrict your API. In short, the API restriction for Android application is searching for package name and SHA-1 headers, the Twitter sign-in flow is based on a browser, so the headers are not sent, also there is no way to pass the headers through the browser.
The best approach would be using API restrictions (which APIs can my API be used for) rather than platform restrictions (which platforms can use this API key).
Related
I want to use distance matrix by google. When I use postman for checking my URL, it works fine, it returns correct JSON. When I do the same thing in my android app, I receive request denied. I'm not restricitng my key, i do not autorize it, I want it to be public and I want to use it everywhere if possible. There are post 5 years old saying that I might be using web browser Api key, but I cannot find specific, android app manual for android api key generator. What I am doing wrong?
request denied
Another thing, I cannot change anything in my account, but I dont think these options matter since they are optional.
Failed to save
I'm using Retrofit:
#GET("maps/api/distancematrix/json")
Call<DistanceResponseModel> getDistanceModel2(#Query("origins") String origins,
#Query("destinations") String destinations,
#Query("key") String key);
I've activated APi in CloudConsole
i'm adding key to the request
APIs are no restricted or unauthorized
I also added key to manifest and gradle with THIS manual
I was using http instead of https in my serivce generator. So yeah, lol.
In Google's OIDC guide, section Exchange code for access token and ID token states that I must provide a client_secret.
If I select the relevant client ID from the API console, I do indeed get a JSON file named client_secret_.... However, none of the fields of the JSON object are named secret or anything similar. (The fields are named client_id, project_id, auth_uri, token_uri, auth_provider_x509_cert_url, and redirect_uris.)
So, where do I get this client_secret?
I think the secrete used to be in the file but alternatively you can also find it by looking at the page were you downloaded your json file and you can also click the button to reset said secret.
I would make sure that the credentials are looking at are under OAuth 2.0 client IDs and not Service account keys or API keys only the first one needs a secret I believe.
Update from comments: Creating Oauth Client Id for android will not give you a secret because its not needed in android application should should probably be following Add google sign-in to your android App
Whenever I include my Google Play Services API key along with my request for Google Directions like in the code below:
private String makeDirectionsURL(double originLat, double originLong, double destLat, double destLong)
{
StringBuilder url = new StringBuilder();
//first part of url//
url.append("https://maps.googleapis.com/maps/api/directions/json?");
//start adding parameters//
//origin coordinates
url.append("origin="+originLat+","+originLong);
//destiniation coordinates
url.append("&destination=");
url.append(destLat+","+destLong);
//api key
url.append("&key=");
url.append(getResources().getString(R.string.google_api_key));
//NOTE: for some reason, the request suceeds when leaving out the api key
return url.toString();
}
When I include the api key as a parameter in the request, the json response shows that my request has been denied. The response reads:
{
"error_message" : "This IP, site or mobile application is not authorized to use this API key.",
"routes" : [],
"status" : "REQUEST_DENIED"
}
Yet the same api key works for my google map view - and my api console registers the accesses for the map view quota limit. Even odder yet, when I leave out the key parameter in the Directions request I get a valid JSON response.
I have a feeling that I have to generate another different api key for just the Google Directions service - but I'm not sure how to. The documentation here:
https://developers.google.com/maps/documentation/directions/#api_key
Says to visit the console and activate the Directions API service - I did.
Then it says my api key "will be available from the API Access page, in the Simple API Access section. Directions API applications use the Key for server apps." Now is where I'm confused - how can I use the key for server apps if I am accessing from a mobile device - I'm assuming this is for any webpages that wish to use the service - but what do I do for an android app. As I said, I already tried using my Simple API Access key for Android apps, which I know works, yet when I pass the same key to Google Directions - it mysteriously doesn't work...
Any help, vague guidance, or links to read up on would be really appreciated.
PS: If I can't figure this out - am I allowed to keep sending requests w/o a api key?
I think the issue is because you are trying to pass a server key which is directly tied to your server's IP address, when you should be passing an android app key.
In your Google APIs console, navigate to API's and Auth. From here you can create a new public API key.
When prompted, select Android Application
You will need to enter your device's SHA1 Certificate Fingerprint
This comes from the keystore used to sign the apk. When running an app in debug, you will most likely be using your IDE's debugging keystore. Google has a nice write up on how to get this information.
When releasing the app, you will need to sign it with your own key. You will either need to edit your API key to the new keystore SHA1 fingerprint or create a new API key.
Additionally, according to Google, you should be using a key.
All Directions API applications should use an API key. Including a key
in your request:
Allows you to monitor your application's API usage in the APIs
Console. Enables per-key instead of per-IP-address quota limits.
Ensures that Google can contact you about your application if necessary.
While I can't comment on how strictly they enforce this, I strongly encourage you to do so to avoid any issues down the road.
I have been doing a lot of research recently on securing my app engine. Currently, I've been reading through the question below and the links in that question:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
However, it doesn't answer my problem. My question is similar to the question above, restricting access to my endpoint API to only my app. The guy seemed to have got it working when he inputs a correct email into the credentials.
My question is if I can achieve the same results without having to input any credentials. I want it so that only my app can use my endpoint API so to prevent other apps from abusing it and using up my quota. I already got a client id for my android application, and have placed it within my #API annotation. To test if it worked, I made a random value for the client id in the #API notation of another api class. However, my app was still able to use methods from both class. Any help?
-Edit-
From reading from the docs and researching further, the endpoint way of authorizing apps is by authenticating the user and for my API to check if user is null. My question is that in the process of authenticating the user, is Google somehow able to read my app's SHA1 fingerprint and authorize it to its list of client ids? If so, how can I replicate this process in my endpoint so that I check the SHA1 fingerprint of the app making the request and compare it to a set value? I don't understand the mechanics behind the endpoints very well, so correct me if I am understanding this wrong.
If the android app has access, then the user has access. A motivated party has many options for inspecting your protocol, including putting the device behind transparent proxy or simply running the app through a debugger. I do suggest running your app through ProGuard before publishing, as this will make the process [a bit] more difficult.
Ultimately, you'll need to make your appengine API robust against untrusted parties. This is simply the state of the web.
How you can protect your endpoint API is described here: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
The secret is that you request a token from Google Play using the following scope: audience:server:client_id:9414861317621.apps.googleusercontent.com where 9414861317621.apps.googleusercontent.com is your ClientId.
Google Play will look up the id at your endpoints app and return a Google-signed JSON Web Token if it finds the id. Then you pass that id in with your request. Above article says you should pass it in with the body. I would possibly rather add another parameter for that because otherwise you can't pass your own entities anymore. Anyway, your server backend receives the token, and you ask Google as described if it is authentic, before you process the API request.
If you pass in the token using an extra parameter, you can catch it on the server side by adding HttpServletRequest to your endpoint signature and then using request.getHeader("Yourname") to read it out. Make sure you never add the parameter as a URL parameter as it may be logged somewhere.
public void endpointmethod(
// ... your own parameters here
final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated
On the Android side you can pass in your token when you build the endpoint api, like this, so you don't have to do it with each and every request:
Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
public void initialize(HttpRequest httpRequest) {
httpRequest.setHeader(...);
}})
Hope this helps you make your endpoints API secure. It should.
I am an Android developer building my first Google App Engine (java) back-end for my apps. I don't want anybody else to access this API other than my app. (I plan to use App engine for verifying InApp purchases in my Android app). My data is not relevant to users so,
I don't want users to be able to access my API even if they are logged in with their Google accounts (on web or Android devices).
I followed the steps mentioned in - "Specifying authorized clients in the API backend"
(https://developers.google.com/appengine/docs/java/endpoints/auth)
like generating client IDs and add them in #Api (clientIds and audiences)
except "Add a User parameter" - since I don't need user authentication.
Then I deployed App engine and I am still able to access the API through API explorer (https://your_app_id.appspot.com/_ah/api/explorer)
(I haven't added API_EXPLORER client ID)
I tested with the APK that was built with the endpoint libs before adding client IDs and can still access the API.
Is adding a "User parameter" to all endpoint APIs a must? to achieve my purpose (restrict API to only my Android apps).
Can I pass null as userAccount name from Android client and ignore user parameter value on server (since it will be null)? Will this ensure that the API is accessible only from my android apps (since the client ID is generated for my package name and SHA1 of the APK?)
Should I use something like a service account for this purpose?
The documentation says for Android, both Android and Web client IDs must be added and audience must be the same as web client ID. Does this open access to any other web client? can I skip mentioning web client ID and still achieve my purpose?
Appreciate your time and help.
...... updating with my further investigation ...
I did the following:
Added User parameter to APIs on backend - but did not check for null value. API can still be accessed without passing any credentials (from Android debug APK and API explorer)
Then, I tried
mCredential = GoogleAccountCredential.usingAudience(this, "server:client_id:" + WEB_CLIENT_ID);
mCredential.setSelectedAccountName(null);
and passed this credential to API builder (as suggested in some other posts)
Caused FATAL EXCEPTION. So, we can't pass null account name.
I could call the API using API explorer without OAuth. But when I enabled OAuth, it gave error saying this client ID is not allowed! ( I haven't yet added com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID in client_ids{})
Then I added code to throw OAuthRequestException on the backend if the user is null. This resulted in API explorer getting errors without OAuth. It works with OAuth enabled after adding API_EXPLORER_CLIENT_ID to client_ids)
Added code to pass valid user account name(email) from my Android app. Then, I am able to access API only with my release APK. Even the debug APK gets exceptions! - which is what I expected..So, I assume no other Android apps will be able to access this API.
So, not checking for null user on back-end API is a bad idea (as suggested in other posts). It is as good as not mentioning any client_ids and not having User param.
Only question I have at this moment is: If some one can figure out the WEB_CLIENT_ID from the APK, will they be able to use it to build a web client to access my API (I haven't mentioned client secret anywhere in the code. So I am thinking this is not possible).
I did search Google groups and Stackoverflow, but still it is not clear.
(Authenticate my “app” to Google cloud endpoints not a “user”)
Authenticate my "app" to Google Cloud Endpoints not a "user"
(How do I protect my API that was built using Google Cloud Endpoints?)
How do I protect my API that was built using Google Cloud Endpoints?
(Restrict access to google cloud endpoints to Android app)
Restrict access to google cloud endpoints to Android app
I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.
For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].
Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.
It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.
Facing the same problem than you ! Authenticate Android End point without Google User Account is just impossible !
So here is my way to resolv this problem, without any user interaction (Maybe not the right but that works, and you've got strong authentication (SHA1 + Google Account)):
HERE IS MY ANDROID CODE
Get and Build Valid Credential
//Get all accounts from my Android Phone
String validGoogleAccount = null;
Pattern emailPattern = Patterns.EMAIL_ADDRESS; // API level 8+
Account[] accounts = AccountManager.get(context).getAccounts();
for (Account account : accounts) {
if (emailPattern.matcher(account.name).matches()) {
//Just store mail if countain gmail.com
if (account.name.toString().contains("gmail.com")&&account.type.toString().contains("com.google")){
validGoogleAccount=account.name.toString();
}
}
}
//Build Credential with valid google account
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(this,"server:client_id:301991144702-5qkqclsogd0b4fnkhrja7hppshrvp4kh.apps.googleusercontent.com");
credential.setSelectedAccountName(validGoogleAccount);
Use this credential for secure calls
Campagneendpoint.Builder endpointBuilder = new Campagneendpoint.Builder(AndroidHttp.newCompatibleTransport(), new JacksonFactory(), credential);
HERE IS MY API BACKEND CODE:
API Annotation
#Api(
scopes=CONSTANTES.EMAIL_SCOPE,
clientIds = {CONSTANTES.ANDROID_CLIENT_ID,
CONSTANTES.WEB_CLIENT_ID,
com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
audiences = {CONSTANTES.ANDROID_AUDIENCE},
name = "campagneendpoint",
version = "v1"
)
Method code:
public Collection<Campagne> getCampagnes(#Named("NumPortable")String NumPortable, User user) throws UnauthorizedException {
if (user == null) throw new UnauthorizedException("User is Not Valid");
return CampagneCRUD.getInstance().findCampagne(NumPortable);
}
For the moment, it only works on Android (I don't know how we gonna do on IOS..)..
Hope It will help you !
Google provides ways to do this for Android, web and iOS
The steps involves:
Specifying a client Id for apps you want to allow to make requests to your API
Adding a User parameter to all exposed methods to be protected by authorization.
Generating the client library again for any Android clients
Redeploying your backend API.
Updating the regenerated jar file to your Android project for your Android client.
These steps are laid out in clear detail on Google's Using Auth with Endpoints and also on this blog
Facing the same problem, here are the result of my research :
Added Android cliend id with SHA1 fingerprint in Google console
Use of it in the API annotation
BUT :
If i dont add user parameter to methods : the check about android app client id does not work
If I add the USER parameter but do not ask the user to choose its google account to create the credential ... also it does not work ...
Conclusion : It seems to be mandatory to connect a user account for the check about the app client id to be executed ... I really do not understand why because no link exist between the 2 processes
Access this site
Choose your project, go to credentials section
Create a new api key
Create a new android key
Click on "Edit allowed android applications" and enter your SHA1 key; your android package name
Let me know if this solves the issues.