The Google Plugin for Eclipse is deprecated and will be removed in January 2018. Migrate to Cloud Tools for Eclipse and/or the GWT Eclipse Plugin as soon as possible to avoid disruption.

Adding Authentication Support

Endpoints can be authenticated with Google Accounts using OAuth 2.0. This allows your Endpoint to verify and know the identity of the authenticated user. The instructions below will lead you through the process of adding Authentication to your Endpoints using the CloudNotes sample.

Note: Android authentication code shown here requires the google-play-services.jar file to be included in your libs/ folder.

To add authentication support:

  1. Register a client ID in the Google APIs Console for your Android application, following the Google API Console instructions on generating OAuth 2.0 client IDs. Be sure to select Installed application (Android) as the Application type:

    You use the generated client ID value as your ANDROID_CLIENT_ID.
  2. Following that same procedure, create another client ID, but this time for a Web application. This will be your WEB_CLIENT_ID.
  3. Create and register an App Engine project ID using the console.
  4. Add that project ID to your project appengine-web.xml.
  5. In the Endpoint class, under the @Api annotation (or the @ApiMethod annotation), set the clientIds attribute to the Android client ID that you generated above, and set the audience attribute to the Web client ID you generated above as well, as shown in the following code snippet:
    @Api(name = "noteendpoint",
    clientIds = {"<ANDROID_CLIENT_ID_HERE>"},
    audiences = {"<WEB_CLIENT_ID_HERE>"})
    public class NoteEndpoint {...}
  6. In your code, import and then add a User object as an additional parameter to your method. For an authenticated call, App Engine automatically fills in this attribute with the logged on user. The following code shows adding a User parameter to the listNote() method:
    public CollectionResponse<Note> listNote(User user,
        @Nullable @Named("cursor") String cursorString,
        @Nullable @Named("limit") Integer limit) {...}
  7. Modify any methods making Datastore queries to query by the logged in User’s email address. The following code snippet shows querying for Notes for a given User in the listNode method:
    Query query = mgr.createQuery("select n from Note n where n.emailAddress = :emailAddress");
    query.setParameter("emailAddress", user.getEmail());
  8. Authenticate the user in the Android application. The credentials obtained are used when communicating with the Endpoint.
    1. In the sample, add the following variables to the class:
      String accountName;
      GoogleAccountCredential credential;
      static final String WEB_CLIENT_ID = <WEB_CLIENT_ID_HERE>;
      static final int REQUEST_ACCOUNT_PICKER = 1;
      and these imports:
      import android.content.Intent;
      import android.accounts.AccountManager;
    2. Obtain the credentials in the onCreate method. If there is a call to AsyncTask in the code (which will be the case if your project was created through the App Engine Connected Android wizard), remove it. (AsyncTask is done after the credentials are obtained.)
      credential = GoogleAccountCredential.usingAudience(this,"server:client_id:" + WEB_CLIENT_ID);
      startActivityForResult(credential.newChooseAccountIntent(), REQUEST_ACCOUNT_PICKER);
    3. Add the following method after onCreate. This prepares the credentials once the user has picked the correct account in the UI, and makes a call to the AsyncTask that connects with the Endpoint:
      protected void onActivityResult(int requestCode, int resultCode, Intent data) {
         super.onActivityResult(requestCode, resultCode, data);
         switch (requestCode) {
            case REQUEST_ACCOUNT_PICKER:
               if (data != null && data.getExtras() != null) {
               accountName = data.getExtras().getString(AccountManager.KEY_ACCOUNT_NAME);
               if (accountName != null) {
                  new EndpointsTask().execute(getApplicationContext());
    4. Finally, make sure you pass the credentials when communicating with the Endpoint. Just to demonstrate, we’ll also pass the e-mail address obtained from the credentials as one of the parameters. In AsyncTask, endpointBuilder should receive the credential obtained earlier:
      Noteendpoint.Builder endpointBuilder = new Noteendpoint.Builder(
                    new JacksonFactory(),
    5. Just to demonstrate how to do this, let's also pass the e-mail address obtained from the credentials as a field in the Note. ()The actual authentication is done on the Endpoint in the backend, through the User object.)
  9. Deploy the App Engine application to the server.
  10. Run the app as you usually would, selecting a USB-connected Android device as the target (currently OAuth2 on Android only works on a physical device). Authenticate by selecting an account when prompted to do so.
  11. Verify that the Notes were inserted in the Datastore Viewer of your App Engine app.

Send feedback about...

Google Plugin for Eclipse