Protect Google Cloud Endpoints from unauthorized users

Question

I managed to implement the auth function described by google using a clientid.

So when visiting the html page, one gets asked to authenticate with a google account.

Question: As it is now, everyone can use the site, as long as he/she has a Google account to authenticate with. How do i restrict the usage to a certain group of users? Do i need to manage a list of unique user ids provided by the User object? Or is there already something prebuild, that i can make use of?

Answer 1

I think the safest would be to keep a list of Ids. What are the basis that you expect google or anyone else to know what kind of users you want to allow?

Even if its only geographic there are times when people might be using proxies or using yor site from a remote location.

The site you linked to also says so much :

Specifying Authorized Clients in the API Backend

You must specify which clients are allowed to access the API backend by means of a whitelist of client IDs. A client ID is generated by the Google API console from a client secret, such as the SHA1 fingerprint of a key used to secure an Android app, or from the Bundle ID/Apple Store ID pair for an iOS app, as described in Creating OAuth 2.0 Client IDs. At runtime, a client app is granted the authorization token it needs to send requests to the API backend if its client secret matches one contained in a client ID within the API backend's client ID whitelist.

Also its only common authentication (who is it), authorization (what they can do on your site) comes from you.