Google Cloud Platform

Authentication on the Mobile Backend Starter

The Mobile Backend Starter has two forms of access control:

  • Client ID and Google Account authentication
  • Access control for Cloud Entities

Client ID and Google Account Authentication

As described in Running the Android Sample and Running the iOS Sample, you can set Authentication/Authorization settings to one of the three modes:

  • Locked Down - All requests will be rejected
  • Open - All unauthenticated requests will be allowed
  • Secured by Client IDs - Only authenticated calls with Client ID and Google Account are allowed

Open mode should be used only for development purposes as it allows unauthenticated calls. The Project ID is the only information required to make a call on the backend in this mode.

For production usage, we recommend Secured by Client IDs. It only allows authenticated calls associated with both of the following:

  • A registered Client ID - to ensure that only the mobile apps built by your development team can access the backend
  • A Google Account - to ensure Google has authenticated the requesting user

Any calls that originate from a client without a correct Client ID or Google Account will raise an UnauthorizedException on the client app. By default, calls to the backend are not associated with a user's Google account.

To enable authentication on the client, add the CloudBackendFragment class to your Activity, and implement the standard Listener pattern:

public class GuestbookActivity extends Activity implements OnListener {
/* ... */
public void onCreateFinished() {
    /* ... */

To enable (or disable) the security features, you need to turn authenticaion on or off in the Consts class.

public static final boolean IS_AUTH_ENABLED = true;

Use the getCloudBackend() method on the Fragment to get a CloudBackendMessaging instance. Use this instance to call the asynchronous API implemented by CloudBackendAsync. Provide these methods with your own CloudCallbackHandler:

getCloudBackend().listByKind("Guestbook", CloudEntity.PROP_CREATED_AT,
    Order.DESC, 50, Scope.FUTURE_AND_PAST, handler);

If you want to pass the user’s Google Account info to the backend on each call, use the CloudBackend#setCredential() method (also available on the subclasses, CloudBackendAsync and CloudBackendMessaging) to set a GoogleAccountCredential object before calling any Mobile Backend methods.

GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(this, "<Web Client ID>");
credential.setSelectedAccountName("<Google Account Name>");

Setting credientials enables the client to operate when the backend is in “Secured by Client ID” mode and also sets createdBy/updatedBy/owner properties of CloudEntity automatically.

The Guestbook example demonstrates how this class is used in the sample code.

Access Control for Cloud Entities

The Cloud Backend API provides an access control feature on CloudEntities. You can specify access control by adding one of the following prefix on kind name of the entities:

Kind Name Prefix get/query update/delete insert
[private] entity owner entity owner anyone
(no prefix) anyone entity owner anyone
[public] anyone anyone anyone

For example, a kind name Contact allows anyone to insert entities and get/query existing Contact entities. But only the entity owners can update or delete each entity. If any user tries to update someone else’s entity, the backend raises an UnauthorizedException. If you do not want to make the Contact entities readable by everyone name the kind [private]Contact. A query on the kind to get a list of all entities only gets the entities owned by the querying user. The entities in [private] kinds are stored with a different namespace for each Google Account, thus isolation between users is assured.

If you create a kind named [public]Contact, all the entities readable and writable by anyone. Also, any entities without a valid UserID assigned to its owner property will be readable and writable by anyone too.

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.