API Key Restrictions for iOS Apps with Bundle Identifier

[ian....@bitstrata.com]

Do API key restrictions work for iOS app bundle identifiers, as configured in the credentials console? When I enable it, I get the following error:

"Check failed 403, Requests from this ios client application <empty> are blocked."

How is the bundle id supposed to be passed up from the app?

These are the attributes passed from the endpoints code to the servicemanagement.services.check api call (https://servicecontrol.googleapis.com/v1/services/{serviceName}:check):

                'api_key',

                'api_key_valid',

                'consumer_project_id',

                'operation_id',

                'operation_name',

                'referer',

                'service_name',

Are one of these used to pass the bundle id to the check call? Or is there another attribute it should be using?

Thanks,

Ian

[Sepehr Ebrahimzadeh]

Hi Ian, 

Sorry for the delay. Yes this is a known bug in ESP and the team is actively working on fixing it.

The iOS bundler identifier (X-Ios-Bundle-Identifier header) which ESP receives should be sent to Service Control's check API as an Operation label with key servicecontrol.googleapis.com/ios_bundle_id

I'll make sure this is documented here: https://cloud.google.com/service-control/reference/rest/v1/Operation

Thanks,

Sepehr

[ian....@bitstrata.com]

Hi Sepehr,

Thanks for the reply - yes that does work! I had tried a bunch of different operation labels (bundle_id, bundle_identifier) but I guess I didn't try ios_bundle_id.

We're using endpoints v2 (frameworks for python) - can we modify the backend code to pass this through to the call to service control check? Or are all the custom headers we pass up from the mobile app stripped out?

Thanks,

Ian

[ian....@bitstrata.com]

Hi Sepehr,

Actually, yes, I do see the header coming through. Since we need to vendor in the endpoints code into our project to use endpoints v2, I can just patch it to handle passing the bundle identifier through to the check api.

The next step will be handling restrictions for Android. I haven't started looking at this, but it looks like we need to pass the package name and SHA-1 signing-certificate fingerprint. How do I need to pass this to the check api? And are "X-Android-Package" and "X-Android-Cert" the standard headers we should be passing up from the Android app?  

Thank you for your help - it is much appreciated!

Best,

Ian

[Sepehr Ebrahimzadeh]

Excellent. I was waiting to hear back from the ESP team to confirm that ESP would not remove the headers that get sent to the backend. Thanks for confirming that Endpoints Frameworks doesn't remove the headers either.

The Endpoints Frameworks team is also aware of this and will take it in as a feature request. In the meanwhile, if you want to patch it in (or better yet, send a PR here: https://github.com/cloudendpoints/endpoints-python) you can use these Service Control Operation labels for Android and iOS:

Header x-android-package

Label servicecontrol.googleapis.com/android_cert_fingerprint

Header x-android-cert

Label servicecontrol.googleapis.com/android_package_name

Header x-ios-bundle-identifier

Label servicecontrol.googleapis.com/ios_bundle_id

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/4c0df69f-e97f-46b5-b8c8-b4528a8d40b3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[ian....@bitstrata.com]

Thanks for the quick reply. Those labels seem to work - the fingerprint needs to be sent with the colons stripped out.

Sure, we'll do a PR once we get it working.

Thanks for all your help!

Ian

[ian....@bitstrata.com]

Here is the PR that implements this functionality: https://github.com/cloudendpoints/endpoints-management-python/pull/28