Protect Google Cloud Endpoints API

3
votes

We have the backend code ready and working, and we want to protect our APIs which is built on top of Google Cloud Endpoints.

so now, we have some difficulty to achieve these goals:

1) only request from iOS device is allowed

here Using Auth with Endpoints the article says that we can Specifying authorized clients in the API backend. We did add something like:

@Api(
    name = "tictactoe",
    version = "v1",
    scopes = {Constants.EMAIL_SCOPE},
    clientIds = {Constants.IOS_CLIENT_ID}
)

however, we can still access without provide any client id.

2) only real user allowed to access our APIs

our app has two kinds of user: registered & guest. There is no 3rd party login using google or facebook.

what if we implements a getToken method and generate a token for users. But anyone who knows this api or sniffer the traffic will know the mechanism, and they can play with our API as a guest account.

we have googled and see a lot of OAuth2 or HMAC, but for our case, is that possible to do it easier and relatively secured.

So, in general, how can we implements a secured backend APIs based on Google Cloud Platform ?

1
google-app-engineauthenticationgoogle-cloud-endpoints
Nigel's answer seems like it should be explored. Also, you might want to explain your point 1 on "code.google.com/p/googleappengine/issues", Google's public issue tracker for App Engine :)Patrice
@Timeless did you find any solution to your IOS issue. I am facing a similar issue. I am making call from javascript client and i want to secure my endpoint such that only my java script client should be able to access my end point. I do not need any used auth. When I followed Google's doc, i am able to reach my endpoint from any client. Any help on this?Bharathi

1 Answers

1
votes

This appears to be tricky, you could try: Adding a hiddenProperty to the client query holding a shared secret key. As described by bossylobster here and Carlos here.