Restrict access to google cloud endpoints to Android app

问题

I'm using Android Studio to generate Google Cloud Endpoints for an Android app. I've deployed the endpoints and they work ok.

What I want to achieve is to enable access to the endpoints only to my app. All the documentation talks about how to enable authentication for users but I only need to restrict the access to the endpoints only from my app. I don't want to use user credentials because the api does not use that.

What I tried is creating a client ID for my app in the Google Console and adding to the APi annotation

@Api(name = "messageEndpoint", clientIds = {Ids.WEB_CLIENT_ID, Ids.ANDROID_CLIENT_ID, Ids.API_EXPLORER}, audiences = {Ids.ANDROID_AUDIENCE}}

And for each API method, I've added a User parameter and check if the user is null or not. My understanding is that the user should be not null if the API is called from one of the client IDS. But user is always null.

Am I missing something?

In my Android app I have

GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(DelegateActivity.this, "server:client_id:" + Ids.ANDROID_AUDIENCE);
MessageEndpoint.Builder endpointBuilder = new MessageEndpoint.Builder(
                        AndroidHttp.newCompatibleTransport(), new JacksonFactory(),
                        credential);

And the exception I am getting is:

java.lang.NullPointerException: [qi] accountName cannot be null.
                        E   at android.os.Parcel.readException(Parcel.java:1431)
                        E   at android.os.Parcel.readException(Parcel.java:1379)
                        E   at com.google.android.gms.internal.a$a$a.a(Unknown Source)
                        E   at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
                        E   at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
                        E   at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential.getToken(GoogleAccountCredential.java:277)
                        E   at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:301)
                        E   at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:854)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
                        E   at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)

回答1:

My understanding is that user will be null in the situation you described: authenticating the app and not the user.

If the app authentication fails then your endpoint won't even be called.

I assume that the string "[qi] accountName cannot be null." is from your app?

来源：https://stackoverflow.com/questions/17873993/restrict-access-to-google-cloud-endpoints-to-android-app