如何将 Google App Engine Endpoints API 访问权限限制为仅我的 Android 应用程序? [英] How do I restrict Google App Engine Endpoints API access to only my Android applications?
问题描述
我是一名 Android 开发人员,正在为我的应用构建我的第一个 Google App Engine (java) 后端.除了我的应用程序,我不希望其他任何人访问此 API.(我计划使用 App 引擎来验证我的 Android 应用程序中的 InApp 购买).我的数据与用户无关,所以,我不希望用户即使使用他们的 Google 帐户(在网络或 Android 设备上)登录也能够访问我的 API.
I am an Android developer building my first Google App Engine (java) back-end for my apps. I don't want anybody else to access this API other than my app. (I plan to use App engine for verifying InApp purchases in my Android app). My data is not relevant to users so, I don't want users to be able to access my API even if they are logged in with their Google accounts (on web or Android devices).
我按照在 API 后端指定授权客户端"中提到的步骤进行操作(https://developers.google.com/appengine/docs/java/endpoints/auth)比如生成客户端 ID 并将它们添加到@Api(clientIds 和受众)中除了添加用户参数" - 因为我不需要用户身份验证.
I followed the steps mentioned in - "Specifying authorized clients in the API backend" (https://developers.google.com/appengine/docs/java/endpoints/auth) like generating client IDs and add them in @Api (clientIds and audiences) except "Add a User parameter" - since I don't need user authentication.
然后我部署了App引擎,我仍然可以通过API explorer访问API(https://your_app_id.appspot.com/_ah/api/explorer)(我没有添加API_EXPLORER客户端ID)
Then I deployed App engine and I am still able to access the API through API explorer (https://your_app_id.appspot.com/_ah/api/explorer) (I haven't added API_EXPLORER client ID)
在添加客户端 ID 之前,我使用使用端点库构建的 APK 进行了测试,并且仍然可以访问 API.
I tested with the APK that was built with the endpoint libs before adding client IDs and can still access the API.
是否必须向所有端点 API 添加用户参数"?实现我的目的(将 API 限制为仅适用于我的 Android 应用).
Is adding a "User parameter" to all endpoint APIs a must? to achieve my purpose (restrict API to only my Android apps).
我能否从 Android 客户端传递 null 作为 userAccount 名称并忽略服务器上的用户参数值(因为它将为 null)?这会确保只能从我的 android 应用程序访问 API(因为客户端 ID 是为我的包名称和 APK 的 SHA1 生成的?)
Can I pass null as userAccount name from Android client and ignore user parameter value on server (since it will be null)? Will this ensure that the API is accessible only from my android apps (since the client ID is generated for my package name and SHA1 of the APK?)
我应该为此目的使用服务帐户之类的东西吗?
Should I use something like a service account for this purpose?
文档说对于 Android,必须添加 Android 和 Web 客户端 ID,并且受众必须与 Web 客户端 ID 相同.这是否会打开对任何其他 Web 客户端的访问?我可以跳过提及 Web 客户端 ID 而仍然达到我的目的吗?
The documentation says for Android, both Android and Web client IDs must be added and audience must be the same as web client ID. Does this open access to any other web client? can I skip mentioning web client ID and still achieve my purpose?
感谢您的时间和帮助.
......更新我的进一步调查......
...... updating with my further investigation ...
我做了以下事情:
在后端的 API 中添加了用户参数 - 但没有检查空值.API 仍然可以在不传递任何凭据的情况下访问(来自 Android 调试 APK 和 API 资源管理器)
Added User parameter to APIs on backend - but did not check for null value. API can still be accessed without passing any credentials (from Android debug APK and API explorer)
然后,我尝试了
mCredential = GoogleAccountCredential.usingAudience(this, "server:client_id:" + WEB_CLIENT_ID);mCredential.setSelectedAccountName(null);
mCredential = GoogleAccountCredential.usingAudience(this, "server:client_id:" + WEB_CLIENT_ID); mCredential.setSelectedAccountName(null);
并将此凭据传递给 API 构建器(如其他一些帖子中所建议的那样)导致致命异常.所以,我们不能传递空账户名.
and passed this credential to API builder (as suggested in some other posts) Caused FATAL EXCEPTION. So, we can't pass null account name.
我可以在没有 OAuth 的情况下使用 API Explorer 调用 API.但是当我启用 OAuth 时,它给出了错误,说这个客户端 ID 是不允许的!(我还没有在 client_ids{} 中添加 com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID)
I could call the API using API explorer without OAuth. But when I enabled OAuth, it gave error saying this client ID is not allowed! ( I haven't yet added com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID in client_ids{})
然后我添加了代码以在用户为空时在后端抛出 OAuthRequestException.这导致 API Explorer 在没有 OAuth 的情况下出现错误.将 API_EXPLORER_CLIENT_ID 添加到 client_ids 后,它可以在启用 OAuth 的情况下使用)
Then I added code to throw OAuthRequestException on the backend if the user is null. This resulted in API explorer getting errors without OAuth. It works with OAuth enabled after adding API_EXPLORER_CLIENT_ID to client_ids)
添加了代码以从我的 Android 应用程序传递有效的用户帐户名(电子邮件).然后,我只能使用我的发行版 APK 访问 API.甚至调试 APK 也会出现异常!- 这正是我所期望的..所以,我假设没有其他 Android 应用程序能够访问此 API.
Added code to pass valid user account name(email) from my Android app. Then, I am able to access API only with my release APK. Even the debug APK gets exceptions! - which is what I expected..So, I assume no other Android apps will be able to access this API.
因此,不在后端 API 上检查空用户是一个坏主意(正如其他帖子中所建议的那样).与不提及任何 client_ids 和没有 User 参数一样好.
So, not checking for null user on back-end API is a bad idea (as suggested in other posts). It is as good as not mentioning any client_ids and not having User param.
我现在唯一的问题是:如果有人能从 APK 中找出 WEB_CLIENT_ID,他们是否能够使用它来构建 Web 客户端来访问我的 API(我没有在任何地方提到客户端机密)代码.所以我认为这是不可能的).
Only question I have at this moment is: If some one can figure out the WEB_CLIENT_ID from the APK, will they be able to use it to build a web client to access my API (I haven't mentioned client secret anywhere in the code. So I am thinking this is not possible).
我确实搜索了 Google 群组和 Stackoverflow,但仍然不清楚.
I did search Google groups and Stackoverflow, but still it is not clear.
(向 Google 云端点验证我的应用"而不是用户")验证我的应用"到 Google Cloud Endpoints 而非用户"
(如何保护使用 Google Cloud Endpoints 构建的 API?)如何保护我的 API是使用 Google Cloud Endpoints 构建的吗?
(How do I protect my API that was built using Google Cloud Endpoints?) How do I protect my API that was built using Google Cloud Endpoints?
(限制 Android 应用访问谷歌云端点)将谷歌云端点的访问权限限制为 Android 应用
(Restrict access to google cloud endpoints to Android app) Restrict access to google cloud endpoints to Android app
推荐答案
我遇到了类似的问题,不是在 Android 和 App Engine 之间,而是在单独的服务器和 App Engine 之间.我处理它的方式是在每个 API 调用中添加一个签名哈希字段作为参数.如果请求的签名不正确,则会被拒绝.
I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.
例如,假设您的 API 端点是 example.com/api/do_thing?param1=foo.我会对整个 url 和一个密钥进行散列,然后将散列的结果附加到请求中:example.com/api/do_thing?param1=foo&hash=[some long hex value].
For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].
然后,在服务器端,我会首先从 url 请求中删除散列,然后在剩余的所有内容上运行散列.最后,您检查计算出的哈希值是否与随请求发送的哈希值匹配,如果不匹配,您可以拒绝请求.
Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.
但是,您的密钥必须保密,这一点非常重要.您必须在 Android 上小心这一点,因为有人可能会试图反编译您的 APK.
It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.
这篇关于如何将 Google App Engine Endpoints API 访问权限限制为仅我的 Android 应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
