I'm developing a RESTful API for my app on GAE python and right now I'm trying to figure out the best way to secure this API.
I have my own member/authentication mechanism on this app.
what is the best way to do this?
having public/private key pairs
becoming an OAuth provider
HTTP authentication (seems very weak to me)
other??
First, discard HTTP Auth. It is not recommended in a true REST API since it resides on cookies.
I would go with OAuth. There's a library called appengine_oauth_provider, which could helps you to start implementing your own provider.
You can use Google Service Account for User Authentication. However, people still can register an account and use your API and surely your app engine bill will go up. They've just introduce Google Cloud Endpoints at Google I/O 2012. You will have a Client ID which will only use on your client application(Android,iOS).
Google I/O 2012 - Building Android Applications that Use Web APIs with Yaniv Inbar and Sriram Saroop
Google I/O 2012 - Building Mobile App Engine Backends for Android, iOS and the Web
If you are interested in, you should try to sign up for trusted tester at
http://endpoints-trusted-tester.appspot.com/
Related
I have a Google App Engine application deployed which contains and manages user data. My users may want to share their personal data with third party sites. Think Garmin sharing running data with myfitness pal or Strava.
The google documentation is gives good examples for using endpoints with iOS, Android, and javascript based web apps. These examples use a client id but not a "client secret" and do not involve refreshing the access tokens.
I have a javascript app running on a third-party site that does one time lookups against the api well.
I’d like to create a sample server app, preferably in java, that would connect periodically using an assigned client secret and refresh access tokens.
I have found documentation for accessing Google API's at the second link below but it is not clear if "Google APIs" include Google App Engine endpoints or just the standard suite of google apis.
What is not clear to me is that at the first link the documentation suggests that a client library needs to be generated from the backend endpoint api using maven or the endpoints.sh tool. Examples are provided for iOS/Android but there is no discussion for third party access.
Does anyone know is the server access configuration I describe possible with custom endpoints? Has anyone encountered example code for a server app that uses refresh tokens against an endpoint api?
Thanks!
End Points Documentation:
https://cloud.google.com/appengine/docs/java/endpoints/auth
OAuth Documentation:
https://developers.google.com/identity/protocols/OAuth2InstalledApp
I am using sendgrid APIs to send bulk emails.We have cloud application in android and web using google app engine.As we know google app engine has limited quota.So we supposed to use FREE i.e.12k/month to send emails.We have integrated it properly.If I run the code at local side i.e. localhost:888, it works but if I deploy the code and try it from there then I am getting below exception.I have created an account on sendgrid already and verified as well.
com.google.apphosting.api.ApiProxy$FeatureNotEnabledException: The
Socket API will be enabled for this application once billing has been
enabled in the admin console
Is it really needed to have billing account?
You can use sendgrids web api which does not require the Socket API in App Engine.
If you want to use sendgrid's SMTP API you will have to enable billing. I would recommend using the web api though.
They have an example i successfully use in one of my projects.
I have a web application hosted in Google app engine and i need to handle some APIs (calendar). I need to authenticate the user via OAuth and to call an API.
I'm going to guess you are talking about the Google Calendar API, since you didn't specify. Information about using the Google Calendar API (in Java) is here. The document isn't specifically tailored to App Engine, but you can see some App Engine examples in the client library distribution.
You can try scribe-java. It works on GAE. Or maybe scribe-up which is an extension to it and supports getting user profiles out of the box.
Ran into an interesting issue with google app engine (on the java runtime). From within an app engine task/view, I'm attempting to contact an external webservice API.
The external API uses OAuth for authentication and only accepts requests over SSL. The particular method I'm calling is a POST request.
Option 1: Use the AppEngine URLFetch Service. However, I don't see a way to do the OAuth signing. URL Fetch uses the java.net HttpURLConnection, which streams it's requests, precluding signing. My go-to java OAuth library is oauth-signpost, but it doesn't support java.net for this reason. Is there an OAuth library that is compatible with HttpURLConnection?
Option 2: Use another URL fetching library. My favorite HTTP library is the apache commons HTTP library. However, this causes a problem when using SSL, since javax.ssl is prohibited by the app engine sandbox. I get the following error attempting to use the apache library over SSL:
java.lang.NoClassDefFoundError: javax.net.ssl.KeyManagerFactory is a restricted class. Please see the Google App Engine developer's guide for more details.
at javax.net.ssl.KeyManagerFactory.<clinit>(KeyManagerFactory.java)
at org.apache.http.conn.ssl.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:223)
I assume because you can't open sockets directly.
This is all a sad confluence of OAuth / POSTs / SSL / App engine which I don't quite see a way out of. Would love to hear any and all suggestions =)
google-oauth-java-client
HttpClient should work in AppEngine, if you use custom ConnectionManager that wraps UrlFetch. Details are here and here.
What is the best way to access Google Documents (documents, spreasheets etc from Google Apps or Gmail) using Java on Google App Engine. We are using GWT on the client side.
Thanks,
Carl
The Google Data Client for Java suppose to work on the Google App Engine.
It gives you access to must of Google Apps Services.
Google has Google Client API which probably has a better support for OAuth2, json and support for the API discovery, but still The old API should work.
Read about Migrating To Google Api Java Client this should resolve any confusion you might have.