-
Notifications
You must be signed in to change notification settings - Fork 64
index
The App Identity API lets an application discover its application ID (also called the project ID). Using the ID, an App Engine application can assert its identity to other App Engine Apps, Google APIs, and third-party applications and services. The application ID can also be used to generate a URL or email address, or to make a run-time decision.
This API is supported for first-generation runtimes and can be used when upgrading to corresponding second-generation runtimes. If you are updating to the App Engine Java 11/17 Python 3 PHP 7/8 Go 1.12+ runtime, refer to the migration guide to learn about your migration options for App Engine.The project ID can be found using the
ApiProxy.getCurrentEnvironment().getAppId() method.
By default, App Engine apps are served from URLs in the form
https://PROJECT_ID.REGION_ID.r.appspot.com, where the project ID is part of the
hostname. If an app is served from a custom domain, it may be necessary to
retrieve the entire hostname component. You can do this using the
com.google.appengine.runtime.default_version_hostname attribute of the
CurrentEnvironment.
View IdentityServlet.java on GitHub (region:
gae_java8_app_identity_versioned_hostnames)
If you want to determine the identity of the App Engine app that is making a
request to your App Engine app, you can use the request header
X-Appengine-Inbound-Appid. This header is added to the request by the URLFetch
service and is not user modifiable, so it safely indicates the requesting
application's project ID, if present.
Requirements:
- Only calls made to your app's `appspot.com` domain will contain the `X-Appengine-Inbound-Appid` header. Calls to custom domains do not contain the header.
-
Your requests must be set to not follow redirects.
If you use the <a href="/appengine/docs/legacy/standard/java/javadoc/com/google/appengine/api/urlfetch/URLFetchService"> URLFetchService</a> class, your app must specify <a href="/appengine/docs/legacy/standard/java/javadoc/com/google/appengine/api/urlfetch/FetchOptions#donotfollowredirects">doNotFollowRedirect</a>. Apps running on the Java 8 runtime do not use the URLFetch service by default. To enable URLFetch <a href="/appengine/docs/legacy/standard/java/issue-requests#java_8_runtime_vs_java_7_behavior"> follow these instructions</a>. -
If your app uses `java.net`,
update your code to not follow redirects:
connection.setInstanceFollowRedirects(false);
In your application handler, you can check the incoming ID by reading the
X-Appengine-Inbound-Appid header and comparing it to a list of IDs allowed to
make requests.
Google APIs use the OAuth 2.0 protocol for authentication and
authorization. The App
Identity API can create OAuth tokens that can be used to assert that the source
of a request is the application itself. The getAccessToken() method returns an
access token for a scope, or list of scopes. This token can then be set in the
HTTP headers of a call to identify the calling application.
The following example shows how to use the App Identity API to make a REST call to the Google URL Shortener API.
Note: the Google API Client Libraries can also manage much of this for you automatically.
View UrlShortener.java on GitHub (region:
gae_java8_app_identity_google_apis)
Note that the application's identity is represented by the service account name,
which is typically applicationid@. You can get the exact value by using the
getServiceAccountName() method. For services which offer ACLs, you can grant
the application access by granting this account access.
The token generated by getAccessToken() only works against Google services.
However you can use the underlying signing technology to assert the identity of
your application to other services. The signForApp() method will sign bytes
using a private key unique to your application, and the
getPublicCertificatesForApp() method will return certificates which can be
used to validate the signature.
Note: The certificates may be rotated from time to time, and the method may return multiple certificates. Only certificates that are currently valid are returned; if you store signed messages you will need additional key management in order to verify signatures later.
Here is an example showing how to sign a blob and validate its signature:
View SignForAppServlet.java on GitHub (region:
gae_java8_app_identity_other_services)
Each application can have one default Cloud Storage bucket, which includes 5GB of free storage and a free quota for I/O operations.
To get the name of the default bucket,
you can use the App Identity API. Call AppIdentityService.getDefaultGcsBucketName.