I am a little confused by these APIs. I am trying to integrate Google+ with my Android app and I am struggling a little. I have been successful at logging in a user using OAuth2, created a Verifier, obtained an accessToken and made a request to Google+ API.
Here is my line of code requesting to see the user information:
OAuthRequest request = new OAuthRequest(Verb.GET, "https://www.googleapis.com/plus/v1/people/me");
This successfully returns a jSON object containing my information/public.
Whenever I change the endpoint to this:
"https://www.googleapis.com/plusDomains/v1/circles/p4643b3a289c42c44"
attempting to use the PlusDomains, I get a forbidden message.
What I really want to do is manage circles for a user (simply add a page to their "Following" circle. That is all I need.
What am I doing wrong? Am I trying to use the wrong endpoint? Does Google+ API allow me to do POST requests?
Every piece of information is helpful.
Thanks in advance!
Google+API and Google+Domains API are different APIs (activating/allowing one does not activate/allow the other).
The Domains API can be considered as a more powerfull (more functionnalities) than Google+API.
See comparison of the two API here on the official doc.
Link here
Related
I am working on a project using WMATA (DC Metro) API and I need to retrieve some data such as stations names, pathing of two stations...
I have an API Key but I don't know to do the networking part.
Should WMATA return an OAuthToken? How can I send a request?
No, you don't need OAuthToken or any Auth method, you just need to send your api_key at request header. There are a lot of example on wmata documentation. You can use Java examples as a reference for Kotlin.
Look at the Java section bottom of this page and find this line:
request.setHeader("api_key", "{subscription key}");
Change
{subscription key}
with your API Key
I have been doing a lot of research recently on securing my app engine. Currently, I've been reading through the question below and the links in that question:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
However, it doesn't answer my problem. My question is similar to the question above, restricting access to my endpoint API to only my app. The guy seemed to have got it working when he inputs a correct email into the credentials.
My question is if I can achieve the same results without having to input any credentials. I want it so that only my app can use my endpoint API so to prevent other apps from abusing it and using up my quota. I already got a client id for my android application, and have placed it within my #API annotation. To test if it worked, I made a random value for the client id in the #API notation of another api class. However, my app was still able to use methods from both class. Any help?
-Edit-
From reading from the docs and researching further, the endpoint way of authorizing apps is by authenticating the user and for my API to check if user is null. My question is that in the process of authenticating the user, is Google somehow able to read my app's SHA1 fingerprint and authorize it to its list of client ids? If so, how can I replicate this process in my endpoint so that I check the SHA1 fingerprint of the app making the request and compare it to a set value? I don't understand the mechanics behind the endpoints very well, so correct me if I am understanding this wrong.
If the android app has access, then the user has access. A motivated party has many options for inspecting your protocol, including putting the device behind transparent proxy or simply running the app through a debugger. I do suggest running your app through ProGuard before publishing, as this will make the process [a bit] more difficult.
Ultimately, you'll need to make your appengine API robust against untrusted parties. This is simply the state of the web.
How you can protect your endpoint API is described here: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
The secret is that you request a token from Google Play using the following scope: audience:server:client_id:9414861317621.apps.googleusercontent.com where 9414861317621.apps.googleusercontent.com is your ClientId.
Google Play will look up the id at your endpoints app and return a Google-signed JSON Web Token if it finds the id. Then you pass that id in with your request. Above article says you should pass it in with the body. I would possibly rather add another parameter for that because otherwise you can't pass your own entities anymore. Anyway, your server backend receives the token, and you ask Google as described if it is authentic, before you process the API request.
If you pass in the token using an extra parameter, you can catch it on the server side by adding HttpServletRequest to your endpoint signature and then using request.getHeader("Yourname") to read it out. Make sure you never add the parameter as a URL parameter as it may be logged somewhere.
public void endpointmethod(
// ... your own parameters here
final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated
On the Android side you can pass in your token when you build the endpoint api, like this, so you don't have to do it with each and every request:
Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
public void initialize(HttpRequest httpRequest) {
httpRequest.setHeader(...);
}})
Hope this helps you make your endpoints API secure. It should.
I am trying to implement a Sample application in Android which gets the malware and phishing list from safe Browsing API and checks the authenticity of URL, this is client side method, but I am constantly getting 400 (Bad Request) as response code when I am trying to hit the URL.
Searched throughout the internet but couldn't get any sample working code.
Even on Developer's Guide page https://developers.google.com/safe-browsing/developers_guide_v2 it is not mentioned how to send the list name correctly in POST request for downloading or updating.
Please help me by providing the correct procedure of how to send list name (if code snippet can be posted, it would be great as I am new to Android.)
Check out that request should end with '\n'. It is common to ignore this. I hope it helps.
I try to use Google oauth to authenticate users on my android app.
Then I would like to send it to my app server so it can connect at any time with Google calendar.
I tried to use
GoogleAuthUtil.getToken(getApplicationContext(), mAccountName, mScope);
Following this article:
https://developers.google.com/accounts/docs/CrossClientAuth
When I use it with scope
mScope = "oauth2:https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile";
I get a token, which is valid for an hour
But when I try to get an authorization code (so I can get a refresh token that is valid for longer time, using
mScope2 ="oauth2:server:client_id:{CLIENT_ID}.apps.googleusercontent.com"+ ":api_scope:https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile";
I receive either "invalid_scope" or "Unknown" exceptions.
What am I doing wrong?
EDIT:
OK, After creating a new app on google API console and adding plus.login to the scope I get a code, but for some reason my server can't resolve this token. When tying to resolve server gets an error about the redirection URL.
BTW, When I do the web flow with same parameters it works.
OK, found the solution, I expected Google to have a lot better documentation about working with Google Oauth and Android. A few things you have to know to work with Android and offline token
When you create google Client ID Don't create a service application before you create a web application
Must include https://www.googleapis.com/auth/plus.login in your scope
The weirdest, to resolve the one time authorization code on my server, I had to use the redirection URL from the Android client ID details (which doesn't even look like a url) and not from the Web client details on Google API console.
That scope string is only documented to work when passed to GoogleAuthUtil(), see http://developer.android.com/reference/com/google/android/gms/auth/GoogleAuthUtil.html, on Android. But it would be cool if it worked on iOS too; our infrastructure there is a little behind where we’re at on Android.
I have had the same issue then i realised that my app is not published and is in debug mode, so i had to add test users to the Google project -> Consent Screen, then i was able to fetch the token for the added test user.
You just need to follow the correct steps/format for specifying the scopes. Find them here https://developers.google.com/android/guides/http-auth#SpecifyingScopes
I'm creating app that use autocomplete places google api.
And I don't know what is wrong but all the time I got responses like:
{
"predictions" : [],
"status" : "REQUEST_DENIED"
}
I send req : https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Paris&types=geocode&language=fr&sensor=true&key=mykey
Documentation says :
REQUEST_DENIED indicates that your request was denied, generally because of lack of a sensor parameter.
I have sensor parameter, maybe it is something with api key.
Is there any page where can I get google's log :), to see why I got REQUEST_DENIED?
I use api key from :
http://code.google.com/intl/pl-PL/android/maps-api-signup.html
Maybe I have to get an api key from somewhere else.
You should be able to view your API Key by going to the API Console first:
https://code.google.com/apis/console
If you haven't yet, you will need to create a new "Project" and then enable the Predictions services first by using the On/Off switch.
Please post your results, I have a similar problem with getting the REQUEST_DENIED response, but I've already got the API key and I'm using the sensor parameter like their documentation states.
It is frustrating that Google doesn't give any sort of response code along with REQUEST_DENIED so you can see why it's denying it. This will be difficult to support and troubleshoot in a production environment if this randomly goes out without providing any details as to why.
Update:
I just found this works for me now, but only after changing my requests to GET requests instead of POST. For reasons unknown, Google returns REQUEST_DENIED for POST requests but allows the same request via GET. A quick test for you to see if this is your problem would be to put the URL together with your API key and other parameters and try it through your browser instead. If that works then just rewrite your Android code to use GET instead of POST and you should be all set.
It was solved for me when I exchanged the API key. I was using the one under Android device, I changed it to the one "Key for browser apps (with referers)" and it worked for me although I'm using Android Device.
I recommend using .getJson() to get an error message along with your response to know what is exactly wrong.
For my case in flutter: I used googlePlace!.autocomplete.getJson(value);
and i got the following response.
{ "error_message" : "You must enable Billing on the Google Cloud Project at https://console.cloud.google.com/project/_/billing/enable Learn more at https://developers.google.com/maps/gmp-get-started", "predictions" : [], "status" : "REQUEST_DENIED" }
That's the wrong API key. Follow the steps here to get the right one.
Make sure you API keys are generated correctly and that you have enabled the necessary APIS.
In my case, when designing iOS application - I need to enable Google Maps SDK for iOS, Google Places API for iOS
And most importantly, and without being mentioned by Google (in any other place as well) enable Google Places API Web Service.
With this, I ended a 2 day search for my pesky problem.
And, of course, make sure you use Key for server applications