On Tue, Jun 17, 2014 at 3:34 AM, Cezary Wagner <[email protected]> wrote:
> How can I secure endpoints with authentication Is it possible to do it at > all? > > Current solution for authentication is not sufficient for it - > appengine-endpoints-helloendpoints-python > <https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-python/blob/master/helloworld_api.py> > . > > Problem with this API is such that I need *hardcode identifiers* how to > workaround it? > > I want to define allowed_client_ids dynamically with use some database not > and want share API with python applications - if it possible at all. How to > do it? > Do you want just authentication, or authentication with client IDs? Are you OK with only allowing the client app to auth with a Google account? As you've noticed, Endpoints requires client IDs to be hardcoded within the application <https://developers.google.com/appengine/docs/python/endpoints/auth#Adding_a_user_check_to_methods>; there's not much that can be done to avoid this requirement. If you just want authentication in general, there's a couple of ways to handle it. You could implement the standard user/password requirement, and require that API requests present the pair of credentials. Of course this is less than optimal since best practice is for APIs to use auth tokens, but it is an option. It should also be noted that many well-known web property APIs accept user/pass to auth into an API; as an example, see Pinboard and Newsblur's APIs. Other websites will offer API auth by generating a token: a very long random token, or a hash of the username,password hash, plus a salt, and requiring that the token be used to access the API. If you're OK with requiring the user to have a Google account, you can use Google+ Sign-In for mobile devices. The docs are here <https://developers.google.com/+/mobile/android/sign-in#enable_server-side_api_access_for_your_app>, but basically the user logs in to Google on their mobile, your mobile app gets a one-time token, sends the token to your Endpoints API, then the token can be exchanged with Google to verify that the user exists and the identity of the user. There are a couple of additional ways to handle this issue, but perhaps it would be better if you better explained your use case: do you want to identify different device IDs, users (unique by email account, profile), or similar? ----------------- -Vinny P Technology & Media Advisor Chicago, IL App Engine Code Samples: http://www.learntogoogleit.com -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/d/optout.
