Secure Cloud Endpoint when using in web app (limit origin?)
Question
I was looking to use Cloud Endpoints on App Engine for a project at school that involves creating an application with an Android and Web interface (using unified Google logins). I was planning on using the client library generators and writing a UI with Angular for the web side.
My question is, since for what I was planning to do you have to embed your web client ID in the web app, how do you prevent others from having a look at your Javascript, taking your Client ID and then creating a new front-end with your Cloud Endpoint?
If I understand correctly this wouldn't be possible? If I'm right, how would you achieve something like this in a secure way?
Thanks! Ambroos
Solution
In the Google Cloud Console, you click on your app engine app > APIs & Auth > Registered Apps.
You then register a new web app and under CONSENT SCREEN you add your web app domain as the WEB ORIGIN. Only calls from this domain will get a token that works for your endpoint.