Trying to reconcile Users API with Apps Provisioning API
86 views
Skip to first unread message
Jason Collins
Jan 18, 2012, 9:42:25 PM1/18/12
to Google App Engine
I'm not sure where to pose this question; it sits right on the
interface between App Engine and Apps Provisioning API.
I have an App Engine app that is using Federated Identity (OpenID) as
its authentication method. The Users API suggests the following:
"The User object for a valid user can provide a unique ID value for
the user that stays the same even if the user changes her email
address. The user_id() method returns this ID, a str value."
So, it seems that the user_id is the correct thing to use as the
key_name for my custom User model.
I'd like to import users from a Google Apps domain, so I am
interacting with the Apps Provisioning API to do so. However, there is
no corresponding user ID on that GData API. The best I have is
username, which is the front portion of the email address. (reference:
http://code.google.com/googleapps/domain/provisioning_API_v2_developers_guide.html#Retrieve_All_Users_in_Domain_Example)
I'm not sure the right way to associate these two entities. It seems
like I need to combine the Provisioning API's username with the Apps
domain to get an email address and then compare that against App
Engine's user.email().
But that smells to me. Is there a correct way to do this?
Thanks for any help, including a pointer to a better place to pose
this question,
j
interface between App Engine and Apps Provisioning API.
I have an App Engine app that is using Federated Identity (OpenID) as
its authentication method. The Users API suggests the following:
"The User object for a valid user can provide a unique ID value for
the user that stays the same even if the user changes her email
address. The user_id() method returns this ID, a str value."
So, it seems that the user_id is the correct thing to use as the
key_name for my custom User model.
I'd like to import users from a Google Apps domain, so I am
interacting with the Apps Provisioning API to do so. However, there is
no corresponding user ID on that GData API. The best I have is
username, which is the front portion of the email address. (reference:
http://code.google.com/googleapps/domain/provisioning_API_v2_developers_guide.html#Retrieve_All_Users_in_Domain_Example)
I'm not sure the right way to associate these two entities. It seems
like I need to combine the Provisioning API's username with the Apps
domain to get an email address and then compare that against App
Engine's user.email().
But that smells to me. Is there a correct way to do this?
Thanks for any help, including a pointer to a better place to pose
this question,
j
Jason Collins
Jan 20, 2012, 10:28:41 AM1/20/12
to Google App Engine
Does anyone from Google at least know to whom I can pose this
question? Is the User ID from the Users API an App Engine specific
thing?
Thanks,
j
On Jan 18, 8:42 pm, Jason Collins <jason.a.coll...@gmail.com> wrote:
> I'm not sure where to pose this question; it sits right on the
> interface between App Engine and Apps Provisioning API.
>
> I have an App Engine app that is using Federated Identity (OpenID) as
> its authentication method. The Users API suggests the following:
>
> "The User object for a valid user can provide a unique ID value for
> the user that stays the same even if the user changes her email
> address. The user_id() method returns this ID, a str value."
>
> So, it seems that the user_id is the correct thing to use as the
> key_name for my custom User model.
>
> I'd like to import users from a Google Apps domain, so I am
> interacting with the Apps Provisioning API to do so. However, there is
> no corresponding user ID on that GData API. The best I have is
> username, which is the front portion of the email address. (reference:http://code.google.com/googleapps/domain/provisioning_API_v2_develope...)
question? Is the User ID from the Users API an App Engine specific
thing?
Thanks,
j
On Jan 18, 8:42 pm, Jason Collins <jason.a.coll...@gmail.com> wrote:
> I'm not sure where to pose this question; it sits right on the
> interface between App Engine and Apps Provisioning API.
>
> I have an App Engine app that is using Federated Identity (OpenID) as
> its authentication method. The Users API suggests the following:
>
> "The User object for a valid user can provide a unique ID value for
> the user that stays the same even if the user changes her email
> address. The user_id() method returns this ID, a str value."
>
> So, it seems that the user_id is the correct thing to use as the
> key_name for my custom User model.
>
> I'd like to import users from a Google Apps domain, so I am
> interacting with the Apps Provisioning API to do so. However, there is
> no corresponding user ID on that GData API. The best I have is
stephenp
Jan 21, 2012, 1:18:39 AM1/21/12
to google-a...@googlegroups.com
I followed this tutorial to integrate with Google Apps.
If you follow the tutorial, you end up with a servlet to handle SSO requests at "/openid?hd=mydomain.com". BTW, I didn't see any way to build the SSO integration required by Google Apps using appengine's UserService, but maybe I was missing something.
Anyway, the good thing about going this route is that you have a single hook for people signing in with Google Apps. I just store the email, domain, and claimed_id in my user model. This ensures that if someone signs is using the same email but they use a different openID provider (other than Google Apps) I'll treat it as a completely different account since that code path will still use appengine UserService and won't store a domain for that user. IOW, a unique user in my system is identified by the email address and also the domain. In fact, you can sign-in to my app using appengine's federated login and then sign-in using Google Apps SSO and use the same email address for both and it will be seen as two accounts. Because the first account will be created with null in the domain column and the second account will actually populate that column with the domain.
With such a scheme, if your import creates a bunch of user records, just be sure to include a special column for the domain in addition to the email and id. This way when the user logs in to your app for the first time you won't get confused if there's two users objects with the same email address.
Does that make sense?
Stephen
Robert Kluin
Jan 25, 2012, 1:37:11 AM1/25/12
to google-a...@googlegroups.com
Hey Jason,
I was actually working on a similar thing just over a year ago. My usecase was pretty simple, I wanted a domain admin to be able to select which users (or group) was authorized to access the app, the set permissions on those users / groups.
I honestly can't remember the exact solution I wound up using, but I do recall mocking up the exact same solution you propose. I do not recall ever finding a better solution though. I also vaguely remember hitting some edge cases where the user accounts didn't get correctly associated. I think that may have been due to all the Apps accounts being transitioned to Google accounts around the time though.
If you find something better, I'd love to hear about it.
Robert
> --
> You received this message because you are subscribed to the Google Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
>
>
--
------
Robert Kluin
Ezox Systems, LLC
I was actually working on a similar thing just over a year ago. My usecase was pretty simple, I wanted a domain admin to be able to select which users (or group) was authorized to access the app, the set permissions on those users / groups.
I honestly can't remember the exact solution I wound up using, but I do recall mocking up the exact same solution you propose. I do not recall ever finding a better solution though. I also vaguely remember hitting some edge cases where the user accounts didn't get correctly associated. I think that may have been due to all the Apps accounts being transitioned to Google accounts around the time though.
If you find something better, I'd love to hear about it.
Robert
> You received this message because you are subscribed to the Google Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
>
>
--
------
Robert Kluin
Ezox Systems, LLC
Reply all
Reply to author
Forward
0 new messages