Open Burtan opened 7 years ago
tangiel
commented
7 years ago Are you using the endpoints-management-control-appengine dependency? Also, it doesn't really provide the same functionality, as API keys do not reveal identity. See this article.
Burtan
commented
7 years ago Yes, I'm using these endpoints dependencies:
compile 'com.google.endpoints:endpoints-framework-tools:2.0.7'
compile 'com.google.endpoints:endpoints-management-control-appengine:1.0.3'Your linked article says that API-keys identify projects. ClientIds do the same, don't they?
tangiel
commented
7 years ago Yes, but a client id is used to assert that a token is coming from a specific source. If you don't validate a client id from a token, then a malicious party could take that token and use it with their own API key. In addition, API keys are not considered secure auth tokens.
Hi, I'm securing my API by oauth2 authentification which also requries a clientId for each application accessing the API. API-keys seem to offer the same functionality as clientIds but provided by a different framework. However, it seems that restricting the API with API-keys:
apiKeyRequired = AnnotationBoolean.TRUEhas no real consequence as my applications can still call the API without any API-key.