Google Cloud Endpoints limitations… any proposed solutions?

52
votes

Am I correct in thinking that the goodness of Cloud Endpoints comes with the following limitations:

  1. The REST Api cannot be deployed to a custom domain (it'll remain on appspot.com).
  2. The only authentication supported is OAuth against Google accounts.
    1. Corollary: it isn't currently possible to create a user login/session-tracking mechanism that is Google-accounts-agnostic (e.g., with email as username and a password).

Is there any plan to do away with these limitations and if so, what is the ETA?

1
javagoogle-app-engineauthenticationauthorizationgoogle-cloud-endpoints
I would add 2 more. (1) It is in preview mode almost 1.5 years after release and seems to have stagnated, so its status is a bit uncertain, and (2) I've seen people complain that you are forced to make your API public.Tom
Good points!! any updates after GA release?ZiglioUK
Please vote up the question --- that may help us get an authoritative response.markvgti
Have been struggling all day with Endpoints and got nowhere plus.google.com/+EmanueleZiglioli/posts/5bYytiELVkdZiglioUK
Also groups.google.com/forum/#!topic/vosao-cms-development/…ZiglioUK

1 Answers

20
votes

Taking these item by item:

  1. Currently, yes this is still the case. Keep in mind, our initial release is targeted at a same-party use-case, where the domain you're serving from basically doesn't matter (it's not user/developer-facing). If you want to use your API to drive a website, you can use your custom domain to have your user-facing content, and still make requests to your appspot domain using CORS. If you're building a mobile app, no one sees the domain at all.
  2. Built-in support (i.e. using the User object) is limited to Google accounts, but you're free to build your own authentication scheme by checking the OAuth headers (or email/password if you must...)
  3. (From the comments, regarding GA status). Endpoints is now GA.
  4. (From the comments, regarding public APIs). Your APIs must be public, but you can limit the clients that can make requests. If you want to make a secret API, i.e. the existence of the API must itself be protected, that's not currently supported. I'd be curious to hear how popular a request this is, but I suspect it's not a blocker for most people.