Google IDs produced by the Users service seem to differ from those produced by OAuth2

[tempy]

I have a production app on GAE that's been running for a while. I've been using the Users service for authentication, and my user entities in the datastore hold on to the unique account ID provided by the users service. Now, I want to bolt on some new functionality that will live outside of the GAE environment, but which also needs to authenticate to the existing GAE app. I've tried to do this with standard OAuth2 (as described here: https://developers.google.com/identity/sign-in/web/), but it seems that the Google IDs that are given out by OAuth2 are not the same for a given user when they login through the Users service on GAE vs regular OAuth2. Specifically, the Oauth2 produces a JWT which unpacks to something like:

{
iss: "accounts.google.com",
sub: "100768731291047440489",
azp: "995713799104-tn1tj3qj8l4h1rhu0sucpb6aormqekls.apps.googleusercontent.com",
email: "john...@googlemail.com",
at_hash: "PKaCDQBHNPH5HTbRXuAcEw",
email_verified: "true"

• ...

• }

The sub value in that response should contain the user's unique ID, but it doesn't match that of the Users API. So, am I missing something or is it the case that Google's IDs are only available within the context of the users service and differ outside of it? If this is indeed the case, is there any way to translate from one sort of ID to the other?

Many thanks,

mike 

[Nick (Cloud Platform Support)]

Hey tempy,

This ID value is unique to the Google App Engine Users service, and won't be the same as your general Google account ID. You can view the difference between the two ID values by playing around with http://gae-login-explainer.appspot.com/, which also explains the main differences between the Google sign-in for websites button and App Engine login URL methods of authentication. 

Let me know if you've got any questions, and I'll do my best to help clarify.

[tempy]

Hi Nick,

Thanks for the reply. I guess then my question is if there is any way to map the general Google account ID to the corresponding App Engine one. I'm definitely willing to run a conversion API from inside the GAE sandbox for this purpose, but I have no idea how to do the mapping even within GAE.

Thanks!

[Nick Payne]

Hey Tempy,

I think the best way to proceed would be to simply have your users go through a quick auth flow upon returning to your site. I don't think it's possible to convert a GAE User object into the equivalent Google+ ID info.

Best wishes,

Nick

--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/OMsuFPAYS1Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/d2a157bb-c886-4dcf-a236-1f3e8d9902aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nick

Technical Solutions Representative
Google Cloud Platform

“It is like a lighted torch whose flame can be distributed to ever so many other torches which people may bring along; and therewith they will cook food and dispel darkness, while the original torch itself remains burning ever the same. It is even so with the bliss of the Way."
― Gautama Buddha (On Computing & Information Theory)