We are using a framework called LibGdx, which allows you to write cross-platform code using only Java. We are developing for Android and iOS.
We have a datastore in Google cloud, as well as an Google app engine api we made to communicate with this datastore.
Now we want to secure this API, but cannot find good guidance on how to approach this for cross-platform. Since we have a mix of fb-login and email-login we need to use client credentials (i.e only our app is allowed to communicate with our API).
Using .NET you would send client credentials (Client ID/Cleint secret), then get an access token, not sure how to approach that in this scenario. We do not have any scopes or anything like that, we just want to secure our API so it can't just be called by anyone. So a simple Bearer-token would solve our issues. Just not sure where to begin.
you should have a look at Firebase Authentication
https://firebase.google.com/docs/auth/
Firebase supports several login providers like Google and Facebook. You will receive a token from Firebase Authentication which you have to forward to your API at Google App Engine.
You can use the Firebase Admin SDK at Google App Engine to validate the Token again
https://firebase.google.com/docs/admin/setup
Related
I have created the gRPC binding for the embedded_assistant.proto and now need to authenticate with Google Assistant SDK before I could send and receive data.
I have followed this guide but I am confused as to how do I authenticate with the OAuth file (client_secret_client-id.json) I've created.
Could somebody provide some example code to authenticate with the Google Assistant SDK?
Also, if possible could you also provide sample code on how to send a simple request from the user and get a response back from the Google Assistant after the Authentication process is setup?
You can look at how authentication is done in the example Android app for the Google Speech API, which should be much the same as needed for calling the Assistant API: https://github.com/GoogleCloudPlatform/android-docs-samples/tree/master/speech/Speech#set-up-to-authenticate-with-your-projects-credentials
Note: as described in the link, you would only want to use the client secret .json file for test Android apps, as this file should not be shipped in a released application. Some Google APIs support API key access from mobile devices, but this is method generally discouraged and not currently available for the Assistant API.
I have a web application that is written on Python / Google Appengine / WebApp2 framework. The web application has native (custom) authentication. The userid / password is managed by the application (and it does not use Google Accounts).
The web application needs to be extended to Mobile clients as well. So I am developing a native Android Client application and trying to integrate with Google Appengine.
For authentication from the Android Client to the Google app engine, I am trying to keep it very simple by using Google Cloud Endpoints. Can you please suggest if my approach below is correct ?
Generate a white list of client IDs using the Google app engine console (for Android, Web and eventually IOS).
Create a Google Cloud Endpoint backend Api (in Python) with the white list of clients(Web, android and IOS) as suggested here – https://cloud.google.com/appengine/docs/python/endpoints/getstarted/backend/
Create a backend library.
Import the library to the Android Client
My expectation after the above are as follows –
End users using the Google Cloud Endpoints Api (from Android Client) will authenticate the android client with Google App engine.
As part of this secure authentication of the Client-GAE, I can then pass the user login-id as a parameter of the API calls and get data / post data for that particular userid.
I am storing the userid (not the password) for the end-user using local storage in the mobile client.
Can you please suggest if my approach above is correct? I purposefully would like to avoid using Google Accounts based authentication from Android Client to the GAE.
In order to get an App Engine user instance injected into your API method by Google Cloud Endpoints, you do need to be using a Google account in the Android app. The service builder in your Android code takes a GoogleAccountCredential.
You can still support your own userid and password, but you can't leverage the user injection if you do.
[EDIT]
If you're not going to use Google Accounts in the Android app, forget the SHA1 and API key. You're going to have to roll your own auth. It's up to you how you do this, but you might start your session with an API call that takes a username and password and returns a token. All other API calls might take that token and check it for validity before returning a result, for example.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I just started to learn GAE and noticed that there can be access to my servlets from anywhere.
My GAE is only used by an Android app to store user data and to keep track of users and GCM regId's.
The expensive GAE SSL implementation in this stage is overkill for me so I need advice on alternative solutions. I read many answers about this and and they all using some form of HTTP login page or other browser related access. I use com.android.volley in my Android app.
Any advice would be grate.
For *.appspot.com domains, SSL is available. Please refer to the following for configuring your application : https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
You could also look at Google Cloud Endpoints to expose your APIs and ensure that you enable security for the different methods that you expose. You can also specify the Client Ids that the Android Application will be using to authenticate itself to your Endpoints implementation. https://developers.google.com/appengine/docs/java/endpoints/ '
Check out Android Endpoints client too : https://developers.google.com/appengine/docs/java/endpoints/consume_android
In my app my cloud services are provided by google drive (formely google docs)
to interact with google docs I use this library:
http://code.google.com/p/google-api-java-client/
It works great but requires that the device has the Google Apis on it and a google account set up
Is there any other way to authenticate on google docs without using this library?
Or do I have to migrate my cloud provider to Dropbox?
Thank you
Your best bet is to use OAuth 2.0 using the Client-side flow which is designed (partly) for mobile devices.
Basically what you'll have to do is use a Web View and redirect your users to the OAuth 2.0 grant page and then after they have granted you access to their data you simply:
Catch the auth code inside the web view
Close the web view
Exchange the auth code for a refresh and an access token
Keep the refresh token in your local database because it gives you unlimited access to the API => no need to trigger Auth flows any more.
That's it! With the newly acquired OAuth 2.0 Access Token and Refresh Token you've got all you need to access the user's Drive data on their behalf and use the API. You've circumvented the Android Account Manager.
There might even be some OAuth 2.0 / Web View client libraries available somewhere for Android, that would help a lot.
PS: this technique is widely used, for instance on iOS if you use the Facebook library, it will first check if there is the Facebook app installed. If the Facebook app is not installed it will use OAuth 2 and the Web View technique automatically. Google's Objective-C client library also uses that technique (as I've heard, never used it).