如何保护使用Google Cloud Endpoints构建的API? [英] How do I protect my API that was built using Google Cloud Endpoints?
问题描述
文档似乎只是谈论用户身份验证和授权,这不是我在这里需要的。我只需要确保只有我的移动应用程序可以与此后端进行通话,而不是其他任何人。 是的,你可以做到这一点:使用身份验证来保护您的端点而不进行用户身份验证。
我发现这样做的方式没有很好的记录,而且我自己也没有真正做到,但我打算在看到时注意到它正在讨论一些IO13视频(我认为这是我看到它的地方):
以下是我对所涉及的内容的理解:
- 创建一个Google API项目(尽管除了身份验证本身,这并不涉及它们的API)
- 创建OATH客户端ID这些应用程序通过其包名和您将签名应用程序使用的证书的SHA1指纹绑定到您的应用程序。
您将将这些客户端ID添加到您的端点可接受的ID列表中。您将添加用户参数到您的端点,但它将为空,因为没有指定用户。
@ApiMethod(
name =sendInfo,
clientIds = {Config.WEB_CLIENT_ID,Config.MY_APP_CLIENT_ID,Config.MY_DEBUG_CLIENT_ID},
audiences = {Config.WEB_CLIENT_ID}
//是,您指定一个'web'ID,即使这不是Web客户端。
)
public void sendInfo(用户用户,信息问候){
上面有一些体面的文档,在这里:
https://developers.google.com/appengine/docs/java/endpoints/auth
您的客户端应用将在制定端点服务呼叫时指定这些客户端ID。所有的OATH细节将在您的客户端设备的幕后处理,以便您的客户端ID被转换为认证令牌。
HttpTransport transport = AndroidHttp.newCompatibleTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleAccountCredential凭证= GoogleAccountCredential.usingAudience(ctx,Config.WEB_CLIENT_ID);
//credential.setSelectedAccountName(user); //不指定用户
Myendpoint.Builder builder = new Myendpoint.Builder(transport,jsonFactory,credential);
这个客户端代码只是我最好的猜测 - 对不起。如果其他人有确切的客户代码应该是什么样的参考,那么我也会感兴趣。
The API is a backend to a mobile app. I don't need user authentication. I simply need a way to secure access to this API. Currently, my backend is exposed.
The documentation seems to only talk about user authentication and authorization, which is not what I need here. I just need to ensure only my mobile app can talk to this backend and no one else.
Yes, you can do that: use authentication to secure your endpoints without doing user authentication.
I have found that this way of doing it is not well documented, and I haven't actually done it myself, but I intend to so I paid attention when I saw it being discussed on some of the IO13 videos (I think that's where I saw it):
Here's my understanding of what's involved:
- Create a Google API project (though this doesn't really involve their API's, other than authentication itself).
- Create OATH client ID's that are tied to your app via its package name and the SHA1 fingerprint of the certificate that you will sign the app with.
You will add these client ID's to the list of acceptable ID's for your endpoints. You will add the User parameter to your endpoints, but it will be null since no user is specified.
@ApiMethod(
name = "sendInfo",
clientIds = { Config.WEB_CLIENT_ID, Config.MY_APP_CLIENT_ID, Config.MY_DEBUG_CLIENT_ID },
audiences = { Config.WEB_CLIENT_ID }
// Yes, you specify a 'web' ID even if this isn't a Web client.
)
public void sendInfo(User user, Info greeting) {
There is some decent documentation about the above, here: https://developers.google.com/appengine/docs/java/endpoints/auth
Your client app will specify these client ID's when formulating the endpoint service call. All the OATH details will get taken care of behind the scenes on your client device such that your client ID's are translated into authentication tokens.
HttpTransport transport = AndroidHttp.newCompatibleTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience( ctx, Config.WEB_CLIENT_ID );
//credential.setSelectedAccountName( user ); // not specify a user
Myendpoint.Builder builder = new Myendpoint.Builder( transport, jsonFactory, credential );
This client code is just my best guess - sorry. If anyone else has a reference for exactly what the client code should look like then I too would be interested.
这篇关于如何保护使用Google Cloud Endpoints构建的API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
