Restrict GAE Endpoint access

Question

I'm searching about a mean to restrict the API calls to only my Android Client, in the documentation it says to use OAuth but it seems to be a Google Account login.

How can i do it (or use this OAuth) with every type of user, the ones they have a Google Account (@gmail.com) and the ones who haven't?

Thanks for help.

Answer 1

oAuth is indeed for authenticating users, not applications. I'm afraid there really isn't a good way to authenticate applications in this scenario, at least not without distributing cryptographically secure, hardened challenge-response hardware like a YubiKey along with your app.

This is a fundamentally difficult problem for any such web interface, by no means limited to Google Cloud Endpoints. The bottom line is that you can't really limit callers to your endpoint to only an application that you create, especially when that application is distributed to many end users, some of whom know how to dump memory or use a packet sniffer.

The best that can be done, to my knowledge, is to add a developer token to the calls. This is a private string which is known to your app, and would not be supplied by anything other than your app. This would simply be an additional parameter to each remote call. Such a token can certainly be extracted from your application by a mildly interested adversary with a minimum of competence, but it at least prevents other friendly developers from casually invoking your API under the assumption you don't mind them doing so. If you're really clever, you might devise a mechanism which would take a day to work around instead of an hour, but I doubt you can do better than that.

Given the weakness of this approach against malicious actors, I don't think there's any built-in support for this in Google Cloud Endpoints, though I suppose a service account comes close.