Securing access between GAE applications
678 views
Skip to first unread message
Mateusz Haligowski
Jan 4, 2017, 2:39:13 PM1/4/17
to Google App Engine
Hi google-appengine,
I started playing with GAE a couple of weeks ago and absolutely love it. I created a bunch of REST services with Go and deployed them to GAE. I've also created a webapp that talks to my backend services.
Now, I want to handle the user authentication with Auth0 on the webapp side, and came to realization that my backend services are publicly available. My question is: what is the approach to secure them? Is there any way to tell GAE "Accept only http(s) calling from other GAE services?".
Thanks,
Mateusz
Evan Jones
Jan 4, 2017, 4:06:01 PM1/4/17
to Google App Engine
You can check the X-Appengine-Inbound-Appid header on requests coming it to your service. On App Engine, it will be set by Google, so you can trust it. Check that it matches the project(s) you expect, and return some HTTP error if it doesn't match. See:
Mateusz Haligowski
Jan 4, 2017, 5:36:07 PM1/4/17
to Google App Engine
That sound like a great idea, but does AppEngine guarantees that there is no way to spoof the header? I can always just make a curl request with the header set, and the project id is also a part of the URL, isn't it?
Evan Jones
Jan 4, 2017, 5:54:00 PM1/4/17
to Google App Engine
Yes, I'm pretty sure that Google strips that header from any external requests, so it can't be spoofed. I can't find anything that explicitly says that in the official documentation, but there are hints in the following sources. If I were you, I would verify that this is true before you rely on it:
--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/FAxqswxW4dk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/ce6063f9-d974-4eed-beec-f1469bf15145%40googlegroups.com.
Message has been deleted
Nick (Cloud Platform Support)
Jan 5, 2017, 7:35:05 PM1/5/17
to Google App Engine
Hey Mateusz,
Yes, this header will be stripped if present from an external source. I've just verified this now. It must be a "slip of the pen" that the docs don't mention this explicitly. I'll make sure that we get that updated.
Cheers,
Nick
Cloud Platform Community Support
Yes, this header will be stripped if present from an external source. I've just verified this now. It must be a "slip of the pen" that the docs don't mention this explicitly. I'll make sure that we get that updated.
Cheers,
Nick
Cloud Platform Community Support
Attila-Mihaly Balazs
Jan 7, 2017, 2:19:18 AM1/7/17
to Google App Engine
It is partially documented here: https://cloud.google.com/appengine/docs/python/outbound-requests#request_headers (though it doesn't make it clear that headers are also stripped when the request is coming from outside of GAE or when using sockets for example).
Nick (Cloud Platform Support)
Jan 10, 2017, 4:28:14 PM1/10/17
to Google App Engine
Hey Attila,
It's exactly to get those docs updated that we've taken notice of this. Thanks for linking that doc.
It's exactly to get those docs updated that we've taken notice of this. Thanks for linking that doc.
Cheers,
Nick
Cloud Platform Community Support
Attila-Mihaly Balazs
Jan 11, 2017, 2:22:59 AM1/11/17
to Google App Engine
Just an other note: you can also check if the source IP is in the ranges documented by Google (see "Static IP Addresses and App Engine apps" here: https://cloud.google.com/appengine/kb/), though that would mean that any request coming from any google property (including other users's Appengine apps / Compute Engine instances / etc) would pass that filter.
Cheers,
Attila
Cheers,
Attila
Thijs Koerselman
Mar 12, 2018, 1:16:56 PM3/12/18
to Google App Engine
The question was about securing HTTP access by checking traffic coming from a webapp. The X-Appengine-Inbound-Appid header only applies to requests from apps running *inside* the app engine environment calling other apps in the same environment.
I was hoping to use the header too, but it can't be used for anything related to a web or mobile client calling your API.
If anyone knows a nice solution to this I'd love to hear about it.
So far the only solution I know is to send credentials in the Authenticate header and verify them, but this would create a lot of overhead for a simple REST api. I need to verify users agains a Firebase instance. Is there a way to issue a JWT token or something on Firebase login?
Cheers,
Thijs
Thijs Koerselman
Mar 13, 2018, 12:54:24 PM3/13/18
to Google App Engine
Forgive me. I think I've misread the original question.
Anyway for anyone like me arriving here looking to secure HTTP access from outside GAE, this is the way to go:
--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/FAxqswxW4dk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f50a13c8-d643-4150-9c05-fa56dd1ca5ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Thijs Koerselman
Reply all
Reply to author
Forward
0 new messages