I have a web application that is written on Python / Google Appengine / WebApp2 framework. The web application has native (custom) authentication. The userid / password is managed by the application (and it does not use Google Accounts).
The web application needs to be extended to Mobile clients as well. So I am developing a native Android Client application and trying to integrate with Google Appengine.
For authentication from the Android Client to the Google app engine, I am trying to keep it very simple by using Google Cloud Endpoints. Can you please suggest if my approach below is correct ?
Generate a white list of client IDs using the Google app engine console (for Android, Web and eventually IOS).
Create a Google Cloud Endpoint backend Api (in Python) with the white list of clients(Web, android and IOS) as suggested here – https://cloud.google.com/appengine/docs/python/endpoints/getstarted/backend/
Create a backend library.
Import the library to the Android Client
My expectation after the above are as follows –
End users using the Google Cloud Endpoints Api (from Android Client) will authenticate the android client with Google App engine.
As part of this secure authentication of the Client-GAE, I can then pass the user login-id as a parameter of the API calls and get data / post data for that particular userid.
I am storing the userid (not the password) for the end-user using local storage in the mobile client.
Can you please suggest if my approach above is correct? I purposefully would like to avoid using Google Accounts based authentication from Android Client to the GAE.
In order to get an App Engine user instance injected into your API method by Google Cloud Endpoints, you do need to be using a Google account in the Android app. The service builder in your Android code takes a GoogleAccountCredential.
You can still support your own userid and password, but you can't leverage the user injection if you do.
[EDIT]
If you're not going to use Google Accounts in the Android app, forget the SHA1 and API key. You're going to have to roll your own auth. It's up to you how you do this, but you might start your session with an API call that takes a username and password and returns a token. All other API calls might take that token and check it for validity before returning a result, for example.
Related
I am trying to make an android app to get my VSO items.
I am following the documentation here for the OAuth flow https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/oauth
The authorisation and authentication calls require a redirect_uri to be passed in the POST requests. What would be that value for an Android app?
The URL must be secured as per VSTS guidelenes.
Based on Authorize access to REST APIs with OAuth 2.0 article:
Q: Can I use OAuth with my phone app? A: No. Right now, Visual Studio
Team Services only support the web server flow, so there's no
supported way to implement OAuth for Visual Studio Team Services from
an app like a phone app, since there's no way to securely store the
app secret.
The workaround is that you can build a web app, then send the request to that web app from your Android app to retrieve necessary data.
Update:
If you can use Personal Access Token or Alternate authentication credentials, you can use it on your android app directly. (Can't access account and profile information)
We are using a framework called LibGdx, which allows you to write cross-platform code using only Java. We are developing for Android and iOS.
We have a datastore in Google cloud, as well as an Google app engine api we made to communicate with this datastore.
Now we want to secure this API, but cannot find good guidance on how to approach this for cross-platform. Since we have a mix of fb-login and email-login we need to use client credentials (i.e only our app is allowed to communicate with our API).
Using .NET you would send client credentials (Client ID/Cleint secret), then get an access token, not sure how to approach that in this scenario. We do not have any scopes or anything like that, we just want to secure our API so it can't just be called by anyone. So a simple Bearer-token would solve our issues. Just not sure where to begin.
you should have a look at Firebase Authentication
https://firebase.google.com/docs/auth/
Firebase supports several login providers like Google and Facebook. You will receive a token from Firebase Authentication which you have to forward to your API at Google App Engine.
You can use the Firebase Admin SDK at Google App Engine to validate the Token again
https://firebase.google.com/docs/admin/setup
Actually we have created the backend module for our android app in Google cloud module.
We also did the validation for authenticating users in backend module(Google cloud module) following the below reference,
And also we picked the authentication option as Google Apps domain. And also we did the below configuration in console.cloud.google.com,
(Google app engine->Setting->Authentication->Google apps domain->mycompany.com)
We followed the below reference for client application(android app) to make API call,
[https://cloud.google.com/appengine/docs/java/endpoints/calling-from-android].
Now we are expecting like the login success will happen only the registered Google apps domain users (Ex: user#mycompany.com). But all the google account users getting success login.
So kindly provide you advice to make the expected workflow.
If the invocation of the service EndPoint you realize it from the web , you can use https://cloud.google.com/appengine/docs/java/users/ otherwise check authentication control endpoint.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
In my app my cloud services are provided by google drive (formely google docs)
to interact with google docs I use this library:
http://code.google.com/p/google-api-java-client/
It works great but requires that the device has the Google Apis on it and a google account set up
Is there any other way to authenticate on google docs without using this library?
Or do I have to migrate my cloud provider to Dropbox?
Thank you
Your best bet is to use OAuth 2.0 using the Client-side flow which is designed (partly) for mobile devices.
Basically what you'll have to do is use a Web View and redirect your users to the OAuth 2.0 grant page and then after they have granted you access to their data you simply:
Catch the auth code inside the web view
Close the web view
Exchange the auth code for a refresh and an access token
Keep the refresh token in your local database because it gives you unlimited access to the API => no need to trigger Auth flows any more.
That's it! With the newly acquired OAuth 2.0 Access Token and Refresh Token you've got all you need to access the user's Drive data on their behalf and use the API. You've circumvented the Android Account Manager.
There might even be some OAuth 2.0 / Web View client libraries available somewhere for Android, that would help a lot.
PS: this technique is widely used, for instance on iOS if you use the Facebook library, it will first check if there is the Facebook app installed. If the Facebook app is not installed it will use OAuth 2 and the Web View technique automatically. Google's Objective-C client library also uses that technique (as I've heard, never used it).