-
Notifications
You must be signed in to change notification settings - Fork 15
GSP Authenticator Framework
RPC calls through GSP often require some level of authentication in order to perform their work. Typically, much of these authentication details must be sent through the HTTP header's (including cookies) since GWT RPC uses the RequestBody for its data. Until GSP is able to provide support for the RequestBuilder systems that GWT has, we provide the Authenticator framework which should cover some of the most common authentication needs. This framework is of course in-development, so if you find a need, submit an issue or fork and submit a PR. The GSP Library and Android library provide a few Authenticators for common use against Google's App Engine.
If you create a custom Authenticator and set it within the SyncProxy's ProxySettings object, the authenticator's data will be retrieved with each individual RPC call. So if your authentication data changes between calls (such as token's being refreshed), as long as your authenticator is up to date, you don't need to make any changes to the service instance as the GSP framework will simply retrieve the data at the RPC network calling point.
More Guide data coming soon.
The provided Authenticators send some authentication that can be automatically interpreted by the Servlet's systems on App Engine. However, the Android Authenticator provided sends the authentication data in a different manner, so some enhancement is needed on the server side to properly access and parse user data. To simplify this, GSP provides a small server-side library with an enhanced RemoteServiceServlet class that your servlets can extend from. This class, CrossClientAuthRSS and it's methods can automatically handle and provide you with a User object regardless of the client type. You may of course use your own solution and use this class as a guide. To use this class, simple have your servlets extend from CrossClientAuthRSS instead of RemoteServiceServlet. The, to get a User object, instead of needing to get the OAuthUserFactory or UserFactory, simply call the method #getCurrentUser(). This will return a user object with the e-mail and id appropriately set. There is a small loss of functionality in that without AppEngine's user service, you cannot check if the logged in user is an Admin user.
Specifically, the CrossClientAuthRSS adds special handling for the case where a Cross Client Id Token is provided in the header of an RPC call (automatically done by GSP when using the AndroidGAECrossClientAuthenticator or AndroidGSIAuthenticator). The enhanced servlet does automatic token verification (as required by Google's OAuth documentation: https://developers.google.com/identity/sign-in/android/backend-auth#verify-the-integrity-of-the-id-token & https://developers.google.com/identity/protocols/CrossClientAuth) and provides fallbacks to UserService and OAuthUserService if and when appropriate. By Default, the servlet will thrown an exception if different users are logged in based on the CrossClient Id, user Service, and/or OAuthUserService. You can change this behavior by calling #setUserPriorityMode(UserConflictMode.PRIORITY) and optionally overriding the method #usersPriority()`. The Default priority list is User Service, OAuth User Service, then Cross Client (AKA UserOption#OAUTH2).