Using java sessions with CloudEndpoints

[Amir Naor]

I have a legacy GAE java project that uses the standard java sessions (with the default GAE support) to store the user ID following a custom authentication flow that involves another 3rd party. 

I was looking to move from using raw servlets to Cloud Endpoints while keeping the current authentication flows, but was struggling to find a way to access the session from the API service class given all cookies are stripped from the request. Looks like this question is asked a lot but without a clear answer.

Finally I was able to get it to work by specifying  "auth = @ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE)" in the @API deceleration.

My question is regarding potential flaws in this approach as I haven't seen any other example following it. Moreover the documentation says "be very cautious in enabling this setting, and make sure to require appropriate XSRF tokens to protect your API".

Is there a better way to achieve what's I'm looking for? Any red flags I should be addressing? 

Thanks in advance. 

 

[George (Cloud Platform Support)]

Hello Amir, 

You are right, there are red flags and warnings. By default, API methods do not allow cookie authentication, and require the use of OAuth2. You incur the risk of Cross-Site Request Forgery (CSRF). It is recommended to be very cautious in enabling this setting, and make sure to require appropriate XSRF tokens to protect your API.

Have you weighed the option of rather re-writing and implementing the recommended Oauth2 authentication: "For OAuth2 authentication, an OAuth2 token is issued to a specific client ID, which means that this client ID can be used for restricting access to your APIs. When you register an iOS or Android application in the Google Cloud Platform Console, you create a client ID for it. This client ID is the one requesting an OAuth2 token from Google for authentication purposes. When the back-end API is protected by auth, an OAuth2 access token is sent and opened by Google Cloud Endpoints, the client ID is extracted from the token, and then the ID is compared to the backend's declared acceptable Client ID list (the clientIds list)."

You can find related information in the "google endpoints (java), session cookies and iOS" thread. 

[Amir Naor]

Thanks for this George.

I was looking into OAuth2 but it seem to support only google consumer accounts on the client side. I my case I use a third party to authenticate iOS users via SMS and I need to maintain that flow & third party. Firebsae and auth0 are not options from the same reason that I can't switch a provider.

Is my understanding above correct? Or is there another way to implement a custom authentication flow? Any pointers will be helpful.

[George (Cloud Platform Support)]

As the situation looks like at present, you are right. Firebase would allow to use other accounts than Google consumer ones, but you can't switch provider.