How to implement endpoint authentication without hardcoding client identifiers?

[Cezary Wagner]

How can I secure endpoints with authentication using for example Google Accounts or OAuth2?

Is it possible to do it at all?

I read many sample in web but not found solution which allow keep user database out of code.

Current solution for authentication is not sufficient for it - appengine-endpoints-helloendpoints-python.

Problem with this API is such that I need hardcode identifiers how to workaround it?

WEB_CLIENT_ID = 'replace this with your web client application ID'
ANDROID_CLIENT_ID = 'replace this with your Android client ID'
IOS_CLIENT_ID = 'replace this with your iOS client ID'
ANDROID_AUDIENCE = WEB_CLIENT_ID

@endpoints.api(name='helloworld', version='v1',
               allowed_client_ids=[WEB_CLIENT_ID, ANDROID_CLIENT_ID,
                                   IOS_CLIENT_ID],
               audiences=[ANDROID_AUDIENCE])
class HelloWorldApi(remote.Service):
    """Helloworld API v1."""

I want to define allowed_client_ids dynamically with use some database not and want share API with python applications - if it possible at all. How to do it?

[Vinny P]

On Tue, Jun 17, 2014 at 3:34 AM, Cezary Wagner <cezary...@gmail.com> wrote:

How can I secure endpoints with authentication Is it possible to do it at all?

Current solution for authentication is not sufficient for it - appengine-endpoints-helloendpoints-python.

Problem with this API is such that I need hardcode identifiers how to workaround it?

I want to define allowed_client_ids dynamically with use some database not and want share API with python applications - if it possible at all. How to do it?

Do you want just authentication, or authentication with client IDs? Are you OK with only allowing the client app to auth with a Google account? As you've noticed, Endpoints requires client IDs to be hardcoded within the application; there's not much that can be done to avoid this requirement.

If you just want authentication in general, there's a couple of ways to handle it. You could implement the standard user/password requirement, and require that API requests present the pair of credentials. Of course this is less than optimal since best practice is for APIs to use auth tokens, but it is an option. It should also be noted that many well-known web property APIs accept user/pass to auth into an API; as an example, see Pinboard and Newsblur's APIs. Other websites will offer API auth by generating a token: a very long random token, or a hash of the username,password hash, plus a salt, and requiring that the token be used to access the API. 

If you're OK with requiring the user to have a Google account, you can use Google+ Sign-In for mobile devices. The docs are here, but basically the user logs in to Google on their mobile, your mobile app gets a one-time token, sends the token to your Endpoints API, then the token can be exchanged with Google to verify that the user exists and the identity of the user.

There are a couple of additional ways to handle this issue, but perhaps it would be better if you better explained your use case: do you want to identify different device IDs, users (unique by email account, profile), or similar?

 

 

-----------------

-Vinny P

Technology & Media Advisor

Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com