App Engine Users Service, OAuth 2.0/OpenID Connect - what's the story?

[DV]

Hi guys,

I'm trying to get a Go web app going on app engine and I'm stumbling in an unexpected place - user authentication. I want my users to authenticate using OAuth 2.0/OpenID Connect and I can't find anywhere what "the story" is on how to do this in App Engine, and especially in Go. 

From what I can tell so far:

• Per the docs, the Users Service can be configured to use Google Accounts, Federated (OpenID 1.0?) logins or Google Apps. Stumbling block:
•  No way to set "Federated" login in "new" Dev console and coupled with the fact that Google deprecated OpenID 1.0/2.0 as well as OAuth 1.0, it seems this is not a good path for me to pursue. 
• Not interested in Goole Apps accounts or just Google Accounts as the only login option which makes the entire Users Service not useful to me, and with that, the entire App Engine authentication infrastructure. 
• Google is pushing "Google+ Sign-In", which is OpenID Connect compliant. I found some docs on how to get it going, but from what I can tell, there is no way to integrate it with the "User" concept in App Engine - the entire security infrastructure is now forced onto me and my app and I have to implement all token exchange/token verification/storage myself. Also not good/great, but doable. 
• There is something called the Google Identity Toolkit, which at first glance looks "recent", and something that might be doing what I'm trying to do, yet the docs point to the "old" dev. console and I couldn't follow the instructions in the "new" dev console. It's also not clear how this integrates with the App Engine Users service, if at all. 
• There are various "demo" apps/frameworks/libraries using OAuth 2.0 authentication on App Engine out there, but all of them are Python or Java. 

Is the Users Service in App Engine effectively deprecated, considering there are no plans (from what I can tell) to migrate it to OpenID Connect? 

If it is deprecated, and we're expected to do low-level Open ID Connect/OAuth 2.0 token exchange, is there some guidance/best practices somewhere on how to make it work with App Engine, specifically Go? I don't want to implement too much code on my own when it comes to security, due to the risk of getting something critical wrong. 

Has anyone gotten OpenID Connect to work on App Engine, with the Users Service, in Go? Or am I too deep down the rabbit hole?

Thanks!

[Luna Duclos]

Hey there,

I have.

I ended up using goauth2 and gorilla's session module for it and it works like a charm.

I also logged a bug on the appengine bug tracker to try and get google to add openid connect support, you can find it here: https://code.google.com/p/googleappengine/issues/detail?id=10997

For some reason, it has been closed as WorkingAsIntended, but I believe this must be a mistake.

--
You received this message because you are subscribed to the Google Groups "google-appengine-go" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengin...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[DV]

Thanks for replying!

Did you end up using the App Engine User Service - https://developers.google.com/appengine/docs/go/users/ -  at all? 

I'm still hung up on this:

"Note: Google no longer offers OpenID provider support. However, an app can still be an OpenID relying party. "

This tells me I *can* get the User Service to play along nicely with OpenID Connect, if I just get certain magic redirect URL's right. This is extremely frustrating, as I'm hunting down information in a dozen different articles/guides. 

To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine-go+unsub...@googlegroups.com.

[Luna Duclos]

I did not,

My appengine app was created after the threshold before which they still allowed to use openid 2.0, so I couldn't find a way to make it work.

To unsubscribe from this group and stop receiving emails from it, send an email to google-appengin...@googlegroups.com.