Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User Authorization for Cloud Endpoints

Tags:

java

google-app-engine

google-cloud-endpoints

I'm working on a cloud endpoints backend and want to restrict certain operations to admin users.

My current code works like this:

@ApiMethod(httpMethod = "PATCH", name = "item.update", path = "items")
public Item update(Item newObject, User user)
        throws UnauthorizedException, OAuthRequestException {
    OAuthService oAuthService = OAuthServiceFactory.getOAuthService();
    if (!oAuthService.isUserAdmin()) {
        throw new UnauthorizedException("Only admin users can modify content.");
    }
    ...
}

I know app engine has a concept of user roles, but I'm curious if Endpoints do. I've tried using the OAuthService.isUserAdmin() call but that doesn't seem to be working out very well and the docs have a big old warning saying

Note: You should not confuse Endpoints auth with the auth for non-Endpoints App Engine web apps described in the article on configuration settings https://developers.google.com/appengine/articles/auth in the Admin Console, where you also specify the user login requirement in your web.xmlhttps://developers.google.com/appengine/docs/java/config/webxml#Security_and_Authentication file. That approach is not used with Endpoints."

Do I have to create some sort of authorization myself that uses the User object that's passed into the update method? Any thoughts?

like image 960
rharter Avatar asked May 20 '26 05:05

rharter

1 Answers

I had similar issues. Indeed OAuth user service has nothing to do with AppEngine user service. What I ended up doing was having a dedicated user type entity in my datastore where I store a specific flag (regular/admin) for each user. This flag is updated when I use AppEngine user service (i.e. so that the administrators I specified in the console get the proper admin flag).

In my endpoints API I get the current user authDomain and id, look up in my datastore to check whether it has the admin flag. The key of my user entity is composed of "authDomain:userId" and as I only support google user for now, it looks like (gmail.com:123456789)

This means that an administrator has to login once using the AppEngine UserService (i.e. a dedicated webpage in my case) so that the flag is properly updated

like image 155
alextk Avatar answered May 21 '26 20:05

alextk
Sign in to Comment

Related questions

How do you add classes to a main method
Using PHP classes in a Java project
Why are the Diffie Hellman public parameters the same on every execution?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!