Thanks for this George. I was looking into OAuth2 but it seem to support only google consumer accounts on the client side. I my case I use a third party to authenticate iOS users via SMS and I need to maintain that flow & third party. Firebsae and auth0 are not options from the same reason that I can't switch a provider.
Is my understanding above correct? Or is there another way to implement a custom authentication flow? Any pointers will be helpful. On Tuesday, May 30, 2017 at 8:49:55 AM UTC-7, George (Cloud Platform Support) wrote: > > Hello Amir, > > You are right, there are red flags and warnings. By default, API methods > do not allow cookie authentication, and require the use of OAuth2. You > incur the risk of Cross-Site Request Forgery (CSRF > <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet> > ). It is recommended > <https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/javadoc/com/google/api/server/spi/config/ApiAuth.html#allowCookieAuth--> > > to be very cautious in enabling this setting, and make sure to require > appropriate XSRF tokens to protect your API. > > Have you weighed the option of rather re-writing and implementing the > recommended Oauth2 authentication > <https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/annotations>: > > "For OAuth2 authentication, an OAuth2 token is issued to a specific client > ID, which means that this client ID can be used for restricting access to > your APIs. When you register an iOS or Android application in the Google > Cloud Platform Console, you create a client ID for it. This client ID is > the one requesting an OAuth2 token from Google for authentication purposes. > When the back-end API is protected by auth, an OAuth2 access token is sent > and opened by Google Cloud Endpoints, the client ID is extracted from the > token, and then the ID is compared to the backend's declared acceptable > Client ID list (the clientIds list)." > > You can find related information in the "google endpoints (java), session > cookies and iOS" thread > <https://groups.google.com/forum/#!topic/google-appengine/HJTJhsQG6Ws>. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8c6a0bfe-bb49-49e5-8724-e414130a063f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
