问题描述
API 是移动应用的后端.我不需要用户身份验证.我只需要一种方法来保护对这个 API 的访问.目前,我的后端已公开.
The API is a backend to a mobile app. I don't need user authentication. I simply need a way to secure access to this API. Currently, my backend is exposed.
文档 似乎只讨论了用户身份验证和授权,这不是我在这里需要的.我只需要确保只有我的移动应用可以与这个后端通信,而没有其他人.
The documentation seems to only talk about user authentication and authorization, which is not what I need here. I just need to ensure only my mobile app can talk to this backend and no one else.
推荐答案
是的,您可以这样做:使用身份验证来保护您的端点,而无需进行用户身份验证.
Yes, you can do that: use authentication to secure your endpoints without doing user authentication.
我发现这种做法没有得到很好的记录,我自己也没有真正做到过,但我打算这样做,所以当我看到在一些 IO13 视频中讨论它时,我注意到了(我认为那是我看到的地方):
I have found that this way of doing it is not well documented, and I haven't actually done it myself, but I intend to so I paid attention when I saw it being discussed on some of the IO13 videos (I think that's where I saw it):
以下是我对所涉及内容的理解:
Here's my understanding of what's involved:
- 创建一个 Google API 项目(尽管这并不真正涉及他们的 API,除了身份验证本身).
- 创建 OATH 客户端 ID,这些 ID 通过应用程序包名称和用于签署应用程序的证书的 SHA1 指纹与您的应用程序相关联.
您将这些客户端 ID 添加到端点的可接受 ID 列表中.您将向端点添加 User 参数,但由于未指定用户,因此该参数将为 null.
You will add these client ID's to the list of acceptable ID's for your endpoints. You will add the User parameter to your endpoints, but it will be null since no user is specified.
@ApiMethod(
name = "sendInfo",
clientIds = { Config.WEB_CLIENT_ID, Config.MY_APP_CLIENT_ID, Config.MY_DEBUG_CLIENT_ID },
audiences = { Config.WEB_CLIENT_ID }
// Yes, you specify a 'web' ID even if this isn't a Web client.
)
public void sendInfo(User user, Info greeting) {
这里有一些关于上述内容的不错的文档:https://developers.google.com/appengine/docs/java/endpoints/auth
There is some decent documentation about the above, here:https://developers.google.com/appengine/docs/java/endpoints/auth
您的客户端应用程序将在制定端点服务调用时指定这些客户端 ID.所有 OATH 详细信息都将在您的客户端设备上进行后台处理,以便您的客户端 ID 被转换为身份验证令牌.
Your client app will specify these client ID's when formulating the endpoint service call. All the OATH details will get taken care of behind the scenes on your client device such that your client ID's are translated into authentication tokens.
HttpTransport transport = AndroidHttp.newCompatibleTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience( ctx, Config.WEB_CLIENT_ID );
//credential.setSelectedAccountName( user ); // not specify a user
Myendpoint.Builder builder = new Myendpoint.Builder( transport, jsonFactory, credential );
这个客户端代码只是我最好的猜测 - 抱歉.如果其他人有关于客户端代码应该是什么样子的参考,那么我也会感兴趣.
This client code is just my best guess - sorry. If anyone else has a reference for exactly what the client code should look like then I too would be interested.
这篇关于如何保护使用 Google Cloud Endpoints 构建的 API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!