How do I use the Google API Explorer to test my own App Engine Endpoints using OAuth?

14
votes

I have an Endpoints API deployed on App Engine. I have no problem using the Google API Explorer to make requests to API methods that do NOT require being logged in. The URL I'm using for that is:

https://developers.google.com/apis-explorer/?base=https://[MY_APP_ID].appspot.com/_ah/api

Where I am stuck is calling API methods that require the user to be logged in, such as this one:

@ApiMethod(name = "config.get",
        clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID"},
        audiences = {"[MY_APP_ID].appspot.com"},
        scopes = {"https://www.googleapis.com/auth/userinfo.email"})
public Config getConfig(User user) throws OAuthRequestException {
    log.fine("user: " + user);

    if (user == null) {
        throw new OAuthRequestException("You must be logged in in order to get config.");
    }

    if (!userService.isUserAdmin()) {
        throw new OAuthRequestException("You must be an App Engine admin in order to get config.");
    }
    ...

On the API Explorer there's a switch top right that, when clicked, allows me to specify scopes and authorise. I'm doing that with just the userinfo.email scope checked. It makes no difference. The response I get from my call is:

503 Service Unavailable

- Show headers -

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "backendError",
    "message": "java.lang.IllegalStateException: The current user is not logged in."
   }
  ],
  "code": 503,
  "message": "java.lang.IllegalStateException: The current user is not logged in."
 }
}

Back when Endpoints was in Trusted Tester phase, I remember there being a manual step in the OAuth2 Playground to get an ID token instead of an access token or some such thing. If that is still required, any mention of that seems to have disappeared from the Endpoints docs now and I see now way to swap out tokens in the API Explorer either.

2
google-app-engineoauth-2.0google-cloud-endpoints
Oh, and I've also added the OAuth playground (developers.google.com/oauthplayground) to the list of redirect URIs in the API console.Eliot

2 Answers

12
votes

I see you've got "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID" in quotes. If that's not a typo in your transcription to Stack Overflow, that's a problem. The value is already a string, so you're just passing in the text com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID (not the actual client ID) as the whitelisted scope. That won't work. Try this instead:

@ApiMethod(name = "config.get",
        clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
        audiences = {"[MY_APP_ID].appspot.com"},
        scopes = {"https://www.googleapis.com/auth/userinfo.email"})

Edit: isUserAdmin is unsupported within Endpoints, and is likely a secondary cause of error. I'd suggest filing a feature request for supporting this method on the provided User object (we likely won't provide support for the user service itself, so it's separate from OAuth login.)

0
votes

I don't know when this was introduced, but if you use OAuth2, instead of UserService.isUserAdmin() you can use OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE) where EMAIL_SCOPE is "https://www.googleapis.com/auth/userinfo.email".

This makes it easy to use the old OpenId or OAUth2:

boolean isAdmin = false;
try {
  isAdmin = userService.isUserAdmin());
} catch (IllegalStateException e1) {
  try {
    isAdmin = OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE);
  } catch (Exception e2) {}
}

The original question was asked several years ago, but maybe this will help others.