2

Is there any way to have authenticated Google Endpoints in an android app using GoogleApiClient without being forced to have GET_ACCOUNTS permission?

Android 23+ with new runtime permissions will then ask the user for the undesirable READ_CONTACTS permission. It seems strange that all android apps with Google Endpoints would now require READ_CONTACTS permission.

The closest StackOverflow question I can find is this, but it claims that it may only work for a very limited time. This Google post provides some guidance using tokens, but not for Endpoints.

Community
  • 1
  • 1
aez
  • 2,406
  • 2
  • 26
  • 46
  • 1
    If you check the Google Document, the only way is by using the ACCOUNTS permission. In supporting request to an Endpoint that requires authentication, your Android client needs to get user credentials and pass them to the service object. Check this [page](https://cloud.google.com/appengine/docs/java/endpoints/consume_android) for more info. Also before your game can make any calls to the Google Play games services, it must first establish an asynchronous connection with the Google Play servers by using an GoogleApiClient object and authenticating the user with the Google Play games services. – KENdi Mar 28 '16 at 12:42
  • @aez - Can you reference where it says you need GET_ACCOUNTS? READ_CONTACTS is only needed if you are reading the contacts or getting the contact information for the current user. – Clayton Wilkinson Mar 28 '16 at 15:27
  • @KENdi - Yes, requiring GET_ACCOUNTS permission is the problem. Android Marshmallow and above (23+) which groups GET_ACCOUNTS with the READ_CONTACTS (@Clayton see [this](http://developer.android.com/guide/topics/security/permissions.html#normal-dangerous)) permission will then require, at runtime, permission from the user for READ_CONTACTS. This means to me that any Marshmallow or above android app using Google Endpoints will require READ_CONTACTS permission at runtime. – aez Mar 29 '16 at 01:05
  • 1
    When you say "Google Endpoints" what do you mean? For example you can call Game Services APIs without this permission (no additional permissions are required). – Clayton Wilkinson Mar 31 '16 at 18:08
  • I think the proper name is "Google Cloud Endpoints", described [here](https://cloud.google.com/appengine/docs/java/endpoints/). And if you use authenticated Google Cloud Endpoints, you must use GET_ACCOUNTS. So, yes, I can use Game Services APIs, but if I use an authenticated Google Cloud Endpoints backend, I have the permission problem. – aez Apr 01 '16 at 01:21

1 Answers1

0

I finnaly found the solution. I updated the answer on the question you mentioned.

To avoid the 1 hour token limitation, use GoogleSignInApi.silentSignIn() to get a new token before every call you make to your endpoint. For example if you are not in the UI thread:

GoogleSignInOptions options = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN).requestEmail()
                .requestIdToken(CLIENT_ID)
                .build();
GoogleSignInClient client = GoogleSignIn.getClient(context, options);
GoogleSignInAccount user = Tasks.await(getGoogleSignInClient(context).silentSignIn());

// Use the new user token as before 
GoogleCredential credential = new GoogleCredential.Builder().setTransport(new NetHttpTransport())
        .setJsonFactory(JacksonFactory.getDefaultInstance())
        .build();
credential.setAccessToken(user.getIdToken());
9and3r
  • 245
  • 1
  • 9