How to disable google cloud endpoints user auth?

1
votes

I am using my custom auth flow (auth using facebook) and want to completely disable authentication provided by Google Cloud Endpoints.

When I set it using the HTTP Authorization header(Bearer ) it invokes some framework method automatically, which shows following entries in logs-

D 2015-03-21 20:41:22.622 Checking for id_token. D 2015-03-21 20:41:22.622 id_token verification failed: Token is not an id_token (Wrong number of segments) D 2015-03-21 20:41:22.623 Checking for oauth token. D 2015-03-21 20:41:22.627 Oauth framework user didn't match oauth token user.

I think its calling google apis and checking the oauth token everytime.

I tried setting auth_level=endpoints.AUTH_LEVEL.REQUIRED but the warning is still there.

Finally, I went through the source code to debug this and set env variable ENDPOINTS_USE_OAUTH_SCOPE to some random value to prevent it from checking with google api's.

Is there a better way to handle this?

[EDIT] This is for AppEngine Python.

1
google-app-enginegoogle-cloud-endpoints
If you post your code, someone will be more likely able to help you. - Theresa
Google Cloud Endpoints is designed to work specifically with Google Accounts or Google+ Signin. If you want to use your own auth scheme you would be better off using a different framework such as Restlet, Spring, or Jersey. - Adam
I disagree with @Adam , you can build your own auth implementation using endpoints, it's not as straighforward as using the builtin OAuth but it's pretty easy. - jirungaray
I am using python. The reason I opted for endpoints was its ability to automatically generate client sdks, manage versioning swiftly. The tight coupling with Google Accounts is sad. I am using my own auth, but the warning messages which suggest its hitting google api's are of concern. - Aakash Bapna
Is this question better suited to be sent to appengine google group mailing-list? - Aakash Bapna

1 Answers

1
votes

As requested by @tomrozb , here's a very simple implementation we are using today. There's really not much to it.

First our AngularJS frontend attaches a header token to every request, this token is aquired on login (non authenticated endpoint) and stored locally (pretty similar to a cookie) . Make sure to HTTPS!

On my endpoints i just check for that token using req.getHeader("Authorization"); and check that token against my current "sessions" and throw an UnauthorizedException("Not logged in") exception. Bear in mind the original HTTPServletRequest is automatically injected if requested so you can do something like:

@ApiMethod(name="createWhatever", path="createWhatever")
public Whatever createWhatever(CreateWhateverRequest data, HttpServletRequest req) throws UnauthorizedException{

Long userId = getUserId(req.getHeader("Authorization"));
    if(userId == null){
            throw new UnauthorizedException("Not logged in");
        }
//do your thing
}

Which is basically what the builtin feature does,it injects a "User" object on your request and asks you to check if its null and act accordingly, i just do it against a custom entity instead of whatever GAE credentials stores for OAuth.