Cloud Endpoints won't require authentication

Question

I've built a custom endpoints API with Google App Engine that communicates with a web client, and I've successfully tested it with the API explorer and the web client.

Now I'm trying to add authentication to the cloud endpoints API via these instructions, using web client ID. I can get authentication to work, but can't get the authentication to be required.

WEB_CLIENT_ID = # Some Client ID

@endpoints.api(name="AppApi", version="v1", allowed_client_ids=[WEB_CLIENT_ID], audiences=[WEB_CLIENT_ID], scopes=[endpoints.EMAIL_SCOPE])
class AppApi(remote.Service):

    @endpoints.method(TestRequestMessage, TestResponseMessage, name="test.get", path="test/get")
    def TestGet(self, request):
        response = TestResponseMessage()
        # Return a blank response message
        return response

I'm purposely trying to exclude endpoints.API_EXPLORER_CLIENT_ID in the allowed_client_ids, because I want to make sure it will fail for requests that are not being authenticated with the API Explorer.

When I go to the API explorer though, I can make successful requests without authentication. When I turn on authentication with the API explorer, it asks me to enable the email authentication, so that works, but it doesn't require authentication for calls.

How do you get the Google Cloud Endpoints API to require authentication for every call?

I'm also not doing any User specific work with the API, so I'm just trying to use web-client authentication using web client credentials, so that it's the web client requesting information. There are no user logins.

Answer 1

There's two auth layers to think about when dealing with endpoints:

• The Client ID layer, which manages what code from where, with what Client ID/secrets can call the API. You can read about this here.

• The User auth layer, which manages an OAuth2.0 For Login/OpenID Connect (same thing) process in which a user grants https://www.googleapis.com/auth/userinfo.email scope to the application, and the application sends a Bearer token along with each API request, so that the endpoint server can use that token to fetch the profile info of the user on whose behalf the request was made. You can read more about the User auth layer of endpoints in the docs (java/python)

Your issue, if I understand your post, relates to the fact that you can make API Explorer requests even if the API Explorer's Client ID is not in the list of allowed IDs. This is a known issue which I believe has been mentioned in the public issue tracker and thus is being worked on, probably with a high priority.

At the very least, knowing that it's not a result of your own error should let you be at ease and continue developing, knowing that it'll be fixed relatively soon, and doesn't represent a risk to security, since only you can access the API Explorer for your own project.

Answer 2

Cloud Endpoints will not automatically enable authentication by itself. Via the annotations, you have marked the API method for secure access.

What you will have to do for each call is to check the User object and determine if :

• It is a valid user
• Do your own authorization checks for the user

If it does not meet your authentication and authorization requirements, you should have the appropriate logic to return the correct HTTP Error code or some other data if it is anonymous sort of access.

In the instructions, this is specific as the 3rd point : "Add a current user check (endpoints.get_current_user) to each method you wish to protect."