Ran into an interesting issue with google app engine (on the java runtime). From within an app engine task/view, I'm attempting to contact an external webservice API.
The external API uses OAuth for authentication and only accepts requests over SSL. The particular method I'm calling is a POST request.
Option 1: Use the AppEngine URLFetch Service. However, I don't see a way to do the OAuth signing. URL Fetch uses the java.net HttpURLConnection, which streams it's requests, precluding signing. My go-to java OAuth library is oauth-signpost, but it doesn't support java.net for this reason. Is there an OAuth library that is compatible with HttpURLConnection?
Option 2: Use another URL fetching library. My favorite HTTP library is the apache commons HTTP library. However, this causes a problem when using SSL, since javax.ssl is prohibited by the app engine sandbox. I get the following error attempting to use the apache library over SSL:
java.lang.NoClassDefFoundError: javax.net.ssl.KeyManagerFactory is a restricted class. Please see the Google App Engine developer's guide for more details.
at javax.net.ssl.KeyManagerFactory.<clinit>(KeyManagerFactory.java)
at org.apache.http.conn.ssl.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:223)
I assume because you can't open sockets directly.
This is all a sad confluence of OAuth / POSTs / SSL / App engine which I don't quite see a way out of. Would love to hear any and all suggestions =)
google-oauth-java-client
HttpClient should work in AppEngine, if you use custom ConnectionManager that wraps UrlFetch. Details are here and here.
Related
I have created some APIs using JAX-RS jersey. I have been given task to secure them using Oauth 2.0. In google I found many articles in which they explain how can I access google API, facebook API etc. they told me how to access already created APIs
But my question is how can I make my API secure using Oauth in java so that when another applcation want to access, it needs to provide authorization and authentication token etc.
Can anybody help me with the code in java. you can suggest some even paid tutorial of udemy coursera if you know. I will opt for them. I am not using any framework like Spring or Springboot.
I would advies checking out the following page:
https://www.baeldung.com/spring-security-oauth-jwt
It makes use of keycloack for authorization server and spring for configuring the resource server.
I have a Google App Engine application deployed which contains and manages user data. My users may want to share their personal data with third party sites. Think Garmin sharing running data with myfitness pal or Strava.
The google documentation is gives good examples for using endpoints with iOS, Android, and javascript based web apps. These examples use a client id but not a "client secret" and do not involve refreshing the access tokens.
I have a javascript app running on a third-party site that does one time lookups against the api well.
I’d like to create a sample server app, preferably in java, that would connect periodically using an assigned client secret and refresh access tokens.
I have found documentation for accessing Google API's at the second link below but it is not clear if "Google APIs" include Google App Engine endpoints or just the standard suite of google apis.
What is not clear to me is that at the first link the documentation suggests that a client library needs to be generated from the backend endpoint api using maven or the endpoints.sh tool. Examples are provided for iOS/Android but there is no discussion for third party access.
Does anyone know is the server access configuration I describe possible with custom endpoints? Has anyone encountered example code for a server app that uses refresh tokens against an endpoint api?
Thanks!
End Points Documentation:
https://cloud.google.com/appengine/docs/java/endpoints/auth
OAuth Documentation:
https://developers.google.com/identity/protocols/OAuth2InstalledApp
I'm developing a RESTful API for my app on GAE python and right now I'm trying to figure out the best way to secure this API.
I have my own member/authentication mechanism on this app.
what is the best way to do this?
having public/private key pairs
becoming an OAuth provider
HTTP authentication (seems very weak to me)
other??
First, discard HTTP Auth. It is not recommended in a true REST API since it resides on cookies.
I would go with OAuth. There's a library called appengine_oauth_provider, which could helps you to start implementing your own provider.
You can use Google Service Account for User Authentication. However, people still can register an account and use your API and surely your app engine bill will go up. They've just introduce Google Cloud Endpoints at Google I/O 2012. You will have a Client ID which will only use on your client application(Android,iOS).
Google I/O 2012 - Building Android Applications that Use Web APIs with Yaniv Inbar and Sriram Saroop
Google I/O 2012 - Building Mobile App Engine Backends for Android, iOS and the Web
If you are interested in, you should try to sign up for trusted tester at
http://endpoints-trusted-tester.appspot.com/
I have a web application hosted in Google app engine and i need to handle some APIs (calendar). I need to authenticate the user via OAuth and to call an API.
I'm going to guess you are talking about the Google Calendar API, since you didn't specify. Information about using the Google Calendar API (in Java) is here. The document isn't specifically tailored to App Engine, but you can see some App Engine examples in the client library distribution.
You can try scribe-java. It works on GAE. Or maybe scribe-up which is an extension to it and supports getting user profiles out of the box.
I'm developing a Java ME app and I want to give it social features. Is it possible to connect to Facebook or Twitter directly from the app, without an intermediate server?
These API's are just HTTP when it comes down to bits-on-the-wire. Java ME supports HTTP with the classes in the javax.microedition.io.* package.
http://java.sun.com/javame/reference/apis/jsr118/javax/microedition/io/Connector.html
http://java.sun.com/javame/reference/apis/jsr118/javax/microedition/io/HttpConnection.html
It's been a while but ISTR having to use GET and POST for everything when using these, no RESTful PUT and DELETE.
Java Client Libraries for the Twitter API
Facebook access for Java
Those should get you started.
You don't need to use any type of middleware or anything to access services that expose an API, but you will need a client library that either you or somebody else has built (like the ones linked to above).
Good luck!