确定哪些Android应用正在与我的AppEngine应用接触 [英] identifying which android app is making contact with my appengine app
问题描述
这是一个这可能吗?题。我对Android手机的应用程序,为的AppEngine平台的另一个应用程序。在AppEngine上的事情是真的只是一个高分的分贝,而手机应用程序真的只是一个游戏。我可以用一些JSON / GSON / httppost的东西,从游戏到数据库发送分数。现在我想确保我收集到的分数来自于游戏,而不是某些人,在节目也许才华横溢,而且在他的手上太多的时间。
This is an "Is this possible?" question. I have an app for the android phone and another application for the appengine platform. The appengine thing is really just a db of high scores, and the phone app is really just a game. I can, using some json/gson/httppost stuff, send the scores from the game to the db. Now I want to make sure that the scores I have collected come from the game, not some guy, maybe talented at programming but with too much time on his hands.
这里的问题。我可以使用谷歌的OAuth 2.0以某种方式进行身份验证的成绩,我得到来自手机上运行我的游戏?
Here's the question. Can I use google OAuth 2.0 to somehow authenticate that the scores I'm getting come from phones running my game?
我想我这样做:我会使用OAuth得到一些从谷歌类型的令牌(从手机),然后通过该令牌到AppEngine上的数据库(使用JSON记录),然后使用令牌得到用户从谷歌的信息。这可能是作为电子邮件地址一样简单。然后我对自己说:好吧,只要我得到一个电子邮件地址的用户,那么我就知道用户使用的游戏,我可以存储他们的分数。这听起来可能吗?我得到的,一旦我用手机来获得从谷歌的道理,它是由AppEngine上的程序无法使用的感觉。
I thought I'd do this: I'd use OAuth to get some kind of token from google (from the phone), then pass that token to the appengine database (using a json record), then use the token to get info from google on the user. This could be as simple as an email address. Then I'd say to myself "Well, as long as I get an email address for the user, then I know that the user is using the game, and I can store their score." Does this sound possible? I get the feeling that once I use the phone to get the token from google, it's unusable by the appengine program.
我想我会使用的CLIENT_ID和client_secret,(和其他任何我需要),这些与AppEngine上DB关联到从手机获得令牌,然后当我通过JSON发送令牌到appenging程序获得的电子邮件地址,他们从AppEngine上工作。这似乎是莫名其妙的谷歌OAuth的都知道,我是想从一个手机令牌,然后会拒绝整个事情。话又说回来,也许它会工作。他们说,尽管这Android手机不能保守秘密(指client_secret)。
I was thinking I'd use the client_id and client_secret, (and whatever else I needed) that were associated with the appengine db to get a token from the phone, then when I sent the token via json to the appenging program to get the email address, they'd work from appengine. This seems like somehow the google OAuth would know that I was trying to get a token from a phone, and then would reject the whole thing. Then again maybe it would work. They say though that android phones cannot keep secrets (referring to the client_secret).
最后,我想知道是否有确保我是在AppEngine上侧记录比分被真正从运行我的游戏Android手机未来的任何其他更简单的方法?我可以建立自己的身份验证方案?有多难这个做什么?
Finally I was wondering if there was any other easier way of making sure that the score I was recording at the appengine side was truly coming from an android phone running my game? Can I set up my own authentication scheme? How hard is this to do?
推荐答案
好时机;谷歌刚刚发布了一个功能,将解决你的问题:
的http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html
Good timing; Google just released a feature will address your question: http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html
这样做是一个多步骤的过程,我将在全轮廓,但
这里的短版:您可以使用GoogleAuthUtil类,可用
通过谷歌Play服务检索称为ID字符串
令牌。您令牌发送到后端和你的后端可以使用
它可以快速,廉价地确认哪些应用程序发送它,谁使用
该应用程序。
Doing this is a multi-step process, which I’ll outline in full, but here’s the short version: You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an "ID Token". You send the token to your back end and your back end can use it to quickly and cheaply verify which app sent it and who was using the app.
这篇关于确定哪些Android应用正在与我的AppEngine应用接触的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
