I have a Google project credible-nation-130012 to which I deployed an app written in Java. It uses the AppEngine standard environment. The only contents is a Google endpoint. You can see the sources at GitHub: https://github.com/mhdirkse/least-common-multiplier .
While not logged in with Google, I wanted to test my deployment. To do this, I visited https://credible-nation-130012.appspot.com/_ah/api/explorer using Firefox. My API did not appear. I pressed F12 for developer information and saw the following errors:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS request did not succeed).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS request did not succeed).[Learn More]
Then I closed the tab and visited console.cloud.google.com to log in. After this my API appeared at https://credible-nation-130012.appspot.com/_ah/api/explorer and it worked.
I guess that the API explorer cannot properly access https://accounts.google.com. It expects to get back a header Access-Control-Allow-Origin but that is not present. Does this have anything to do with my application, or is it a bug in the API explorer? Or is this behavior intended by Google? Any help is welcome.
With kind regards,
Martijn Dirkse
By the way: I am demonstrating this project for a job application. If I get help on this question, I will make this clear on GitHub and in communication with possible employers.
The issue is likely in your web.xml. You have set an admin auth constraint for all URLs, and API Explorer needs to access a certain URL path /_ah/api/discovery/v1/apis (and paths under it) to work. Remove the constraint or loosen it to exclude /_ah/api.