1

I'm extremely stuck at the moment with authentication and Cloud Endpoints. I've looked at these two answers and I'm still unsure of how to approach this problem.

Google Cloud Endpoints and user's authentication

Custom Authentication for Google Cloud Endpoints (instead of OAuth2)

It seems like whenever I run into authentication, I'm thrown for a loop haha. Is there a guide or anything I could read on how to write custom authentication code for Cloud Endpoints? It seems Google is adamant that you use OAuth2, but I would rather not be stuck on Google accounts.

Basically, I'm just trying to have a simple, email/password authentication system from Android as well as a React frontend (both would be consuming the same API). Would either use the same or different approaches?

I'm so lost :|

Community
  • 1
  • 1
Mmm Donuts
  • 9,551
  • 6
  • 27
  • 49
  • 1
    The main issue with switching from oauth to your custom auth is that oauth2 handles sessions for you. If you switch away from oauth2 you'll have to handle sessions yourself or you have to send your credentials with every request (which is possible but not the best of all ideas). If that is good enough for you, you can inject the HTTP headers in your endpoint and just do basic authentication. Note: I don't do python on GAE but python should have the same spectrum of functionality. – konqi Oct 16 '15 at 11:10
  • ^^^ this is the correct answer, and I'll add the security advice that "rolling your own" is not necessarily a good idea unless you really know what you're doing, and that not many people are going to want to come up with another unique password for your service - otherwise they're risking compromising a reused password. – Nick Oct 16 '15 at 14:58
  • Oh man, you'd think that this would be a common thing that users would want to implement. I get that Google wants you to use their accounts for Authentication, but I'm sure there's loads of people that want to utilize their own credentials. @Nick - I know, I know. So would you suggest that I just stick to Google Plus? – Mmm Donuts Oct 16 '15 at 15:59
  • If you can come up with a technical proposal to allow third-party auth in Endpoints (via headers, some kind of runtime support), you could post it to the [public issue tracker](https://code.google.com/p/google-appengine/issues/list). I do, however, for the meantime, highly suggest using OAuth over password authentication, due to the comparative security properties of both strategies. – Nick Oct 16 '15 at 16:21
  • 1
    You may also be able to use the Google Identity Toolkit. https://developers.google.com/identity/toolkit/ You would still need to roll your own integration to endpoints, but you can let the library handle the authentication details for you. See http://stackoverflow.com/questions/30809352/google-cloud-endpoints-with-google-identity-tool-kit – Josh J Oct 16 '15 at 18:17

0 Answers0