Google App Engine Authentication with Google Apps domain account

[sugumar.p sugu]

I have created google end-point API with authentication(User) for access native android app. my requirement is to authenticate via my organization google apps domain. There is a option to set the privileges for particular domain users to access the API. But is not working. I need to know more about the configuration(Google app engine->Setting->Authentication->Google apps domain->mycompany.com) or else I did something wrong... Please guide me. 

[Adam (Cloud Platform Support)]

This seems like a question that would be better posted to Stack Overflow, rather than a discussion post. The google-appengine group is intended more for general discussion rather than technical assistance. Please see the main Community Support page for a list of the tags we monitor.

With that being said, please provide some details so that we're able to understand your issue. How is it not working? How is your code currently handling authentication with the Users API? Does it work when using 'Google Accounts API'?

[sugumar.p sugu]

Actually we have created the backend module for our android app in Google cloud module. For more info check here

https://cloud.google.com/appengine/docs/java/endpoints/helloendpoints-android-studio.

We also did the validation for authenticating users in backend module(Google cloud module) following the below reference,

https://cloud.google.com/appengine/docs/java/endpoints/add-authorization-backend.

And also we picked the authentication option as Google Apps domain. And also we did the below configuration in 

console.cloud.google.com,(Google app engine->Setting->Authentication->Google apps domain->mycompany.com)

 

We followed the below reference for client application(android app) to make API call,

https://cloud.google.com/appengine/docs/java/endpoints/calling-from-android.

Now we are expecting like the login success will happen only the registered Google apps domain users (Ex:us...@mycompany.com). But all the google account users getting success login.

So kindly provide you advice to make the expected workflow.

[Adam (Cloud Platform Support)]

As a troubleshooting step, make sure that you create the project as a Google Apps user and that you select your Google Apps organization on the project creation page as it cannot be changed later. Make sure that you set the authentication type to 'Google Apps Domain' before deploying your app for the first time.

On the old console, the authentication type needed to be selected on project creation and couldn't be changed after the Users API was used for the first time, so there may be issues with changing the authentication type later after you've already deployed your app.

If this doesn't work, please share an example of the code your app uses to handle user authentication with the Users API.

[sugumar.p sugu]

* We tried to select a google apps organization on project creation page, but this option was not 

available in google cloud platform console. we try to create a project using admin domain account 

(ad...@myoraganization.com).   

Following code we used to create Endpoint API with authentication:

@Api(

        name = "myApi",

        clientIds = {

                WEB_CLIENT_ID,

                ANDROID_CLIENT_ID,

                API_EXPLORER_CLIENT_ID},

        audiences = {ANDROID_AUDIENCE},

        scopes = {EMAIL_SCOPE},

        version = "v1",

        namespace = @ApiNamespace(

                ownerDomain = "backend.myapplication.example.com",

                ownerName = "backend.myapplication.example.com",

                packagePath = ""

        )

)

public class MyEndpoint {

    @ApiMethod(name = "sayHi")

    public MyBean sayHi(@Named("name") String name, User user) {

        

MyBean response = new MyBean();

        if (user == null) {

            response.setData("Invalid Access..");

            return response;

        }

        response.setData("Hi, " + name + " Authentication Mail : " + user.getEmail());

        return response;

    }

}

Following code we used to call MyApi from android application: 

GoogleAccountCredential googleAccountCredential =

        GoogleAccountCredential.usingAudience(MainActivity.this, "server:client_id:" + WEB_CLIENT_ID);

googleAccountCredential.setSelectedAccountName(SELECTED_ACCOUNT_NAME);

MyApi.Builder myAPIBuilder = new MyApi.Builder(AndroidHttp.newCompatibleTransport(),

        new AndroidJsonFactory(), googleAccountCredential);

myAPIBuilder.setGoogleClientRequestInitializer(new GoogleClientRequestInitializer() {

    @Override

    public void initialize(AbstractGoogleClientRequest<?> abstractGoogleClientRequest) throws IOException 

{

        abstractGoogleClientRequest.setDisableGZipContent(true);

    }

});  

myAPIBuilder.setRootUrl(ROOT_URL);

MyApi myApi = myAPIBuilder.build();

MyBean myBean = myApi.sayHi(" Call From Android Application ").execute(); 

 

[Adam (Cloud Platform Support)]

It looks like you might be using the wrong User import, which happens commonly as there are two of them. Make sure you're using the import from the App Engine API and not the one from Endpoints:

import com.google.appengine.api.users.User;

Using 'com.google.api.server.spi.auth.common.User' will only work with Google Accounts Authentication and has a limited number of methods. I've tested this myself and it does work and there are no issues when using it along side a resource parameter or HttpServletRequest parameter:

import com.google.api.server.spi.config.Api;
import com.google.api.server.spi.config.ApiMethod;
import javax.servlet.http.HttpServletRequest;
import com.google.appengine.api.users.User;  // Need this import when using Google Apps Domain auth

@Api(name = "myApi", version = "v1")
public class TestAPI {

    @ApiMethod(name = "test")
    public Response test(HttpServletRequest request, User user, BodyParams params) {
        Response response = new Response();

        if (user == null) {
            response.setEmail("unauthorized");
            return response;
        }
                       
        // Do something with the 'request' parameter
        // Do something with the 'params' resource parameter
       
        response.setEmail(user.getEmail());
        return response;
    }
}

Please let me know if you still have issues and if so please post your full code including the imports.

[sugumar.p sugu]

As per your point on aug 10 we tried to create project ( As a Google Apps user and that you select your Google Apps organization on the project creation page ). But organization selection menu was not available in project creation page in console.

We also tried domain admin account but we can't see any option to select for my organization. 

As per your suggested package (com.google.appengine.api.users.User) only used to authenticate google apps domain

These are a full code

import com.google.api.server.spi.config.Api;

import com.google.api.server.spi.config.ApiMethod;

import com.google.api.server.spi.config.ApiNamespace;

import javax.inject.Named;

import com.google.appengine.api.users.User;

import static com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID;

/**

 * An endpoint class we are exposing

 */

@Api(

        name = "myApi",

        clientIds = {

                Constants.WEB_CLIENT_ID,

                Constants.ANDROID_CLIENT_ID,

                API_EXPLORER_CLIENT_ID},

        audiences = {Constants.ANDROID_AUDIENCE},

        scopes = {Constants.EMAIL_SCOPE},

        version = "v1",

        namespace = @ApiNamespace(

                ownerDomain = "backend.myapplication.p.sugumar.example.com",

                ownerName = "backend.myapplication.p.sugumar.example.com",

                packagePath = ""

        )

)

public class MyEndpoint {

    /**

     * A simple endpoint method that takes a name and says Hi back

     */

[Adam (Cloud Platform Support)]

Are you saying that 'com.google.appengine.api.users.User' isn't working for you? When I test it it authenticates only the Google Apps domain otherwise the User object is null as expected.

[sugumar.p sugu]

I don't think com.google.appengine.api.users.User is not working. But I am thinking that I didn't properly created project for Google apps domain authentication. Because, There is no option like Google Apps organization on the project creation page in my cloud console

[Adam (Cloud Platform Support)]

The 'Organization' option on project creation is actually related to enterprise billing and not Google Apps, so you should be ok. You only need to specify your Google Apps domain under App Engine -> Settings. I've confirmed this works on a regular project without any organization specified.