Android Client - Google App engine authentication

2019-09-03 03:01发布

问题:

I have a web application that is written on Python / Google Appengine / WebApp2 framework. The web application has native (custom) authentication. The userid / password is managed by the application (and it does not use Google Accounts).

The web application needs to be extended to Mobile clients as well. So I am developing a native Android Client application and trying to integrate with Google Appengine.

For authentication from the Android Client to the Google app engine, I am trying to keep it very simple by using Google Cloud Endpoints. Can you please suggest if my approach below is correct ?

  1. Generate a white list of client IDs using the Google app engine console (for Android, Web and eventually IOS).
  2. Create a Google Cloud Endpoint backend Api (in Python) with the white list of clients(Web, android and IOS) as suggested here – https://cloud.google.com/appengine/docs/python/endpoints/getstarted/backend/
  3. Create a backend library.
  4. Import the library to the Android Client

My expectation after the above are as follows –

  1. End users using the Google Cloud Endpoints Api (from Android Client) will authenticate the android client with Google App engine.
  2. As part of this secure authentication of the Client-GAE, I can then pass the user login-id as a parameter of the API calls and get data / post data for that particular userid.
  3. I am storing the userid (not the password) for the end-user using local storage in the mobile client.

Can you please suggest if my approach above is correct? I purposefully would like to avoid using Google Accounts based authentication from Android Client to the GAE.

回答1:

In order to get an App Engine user instance injected into your API method by Google Cloud Endpoints, you do need to be using a Google account in the Android app. The service builder in your Android code takes a GoogleAccountCredential.

You can still support your own userid and password, but you can't leverage the user injection if you do.

[EDIT]

If you're not going to use Google Accounts in the Android app, forget the SHA1 and API key. You're going to have to roll your own auth. It's up to you how you do this, but you might start your session with an API call that takes a username and password and returns a token. All other API calls might take that token and check it for validity before returning a result, for example.