Reputation: 5962
How to use generated clientid with Google cloud endpoints for authenticating 3rd party users without redeploying app
In my case we work with other companies which would consume our APIs along with our internal javascript client. I think we need to create a web client id for javascript client. But when exposing APIs externally, is it correct to generate new web client id per company? If so do we have to update clientid each time and redeploy application?
I'm following this documentation and in their example client ids are hardcoded, if I need to give access to new 3rd party users, then I need to generate new client id for them but I'd expect to not redeploy application.
Update: I've created a feature request as per @Alex's suggestion below.
Upvotes: 1
Views: 70
Answers (2)
Reputation: 58
You can use an asterisk as the client ID, that will allow any client to call it without redeploying your API backend. Not sure if this is a documented feature or not, but it works (at least) with both Python and Java.
@Api(name = "myapi",
version = "v1",
scopes = {"https://www.googleapis.com/auth/userinfo.email"},
description = "My flashy API",
clientIds = {"*"})
public class MyAPI { ... }
Upvotes: 0
Reputation: 881477
Unfortunately the docs at https://cloud.google.com/appengine/docs/python/endpoints/auth very specifically say, and I quote,
Because the allowed_client_ids must be specified at build time, you must rebuild and redeploy your API backend after adding or changing any client IDs in the authorized list of allowed_client_ids or audiences
so it appears that your perfectly-reasonable use case is very explicitly not covered at this time.
I recommend you visit said page and enter a feature request via the "Write Feedback" link (around the upper right corner of the page) as well as entering a feature request on the Endpoints component of the App Engine feature tracker, https://code.google.com/p/googleappengine/issues/list?can=2&q=component=Endpoints&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log -- we monitor both, but with different processes, so trying both is best.
Sorry to be a bearer of bad news. For now, it seems the only workaround is to distribute to the other companies one of a bunch of client ids generated in advance (you can only change the valid bunch when you re-deploy, sigh) and perhaps add some extra, app-layer authorization check of your own -- exactly the kind of work endpoints should be doing on your behalf:-(.
Upvotes: 2
Related Questions
- How do I use a client ID for OAuth2 on App Engine in Go?
- GCP -- APIs & Services : Create OAuth client ID credentials programmatically
- Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)
- Validate AppEngine Endpoints Client IDs while using custom Authenticator
- Authenticating your client to Cloud Endpoints without a Google Account login
- How do I get the Google Account ID when making an authenticated call to a Cloud Endpoints API from an Android app
- ClientId not updated when deploying - User injected null
- Google OAuth - Keeping the Client ID Secret
- Google App Engine: Endpoints authentication when custom auth or Open ID is used
- How exactly to set clientIds and audiences to authenticate Google Cloud Endpoints for an Android App