Use OAuth2 for authentication + compatibility with google.appengine.api.users service

[John Del Rosario]

(x-post from SO and reddit, for maximum visibility)

We're trying to put our app on Google Marketplace, and one of the requirements was to use OAuth2 for authentication. Unfortunately (and strangely), AppEngine doesn't have an option for this.

Right now, we are using OpenID for authentication. I've been trying to find resources online, but have failed in finding a definitive guide on how to do this properly. 

My concerns are:

1. What scope should I use?

2. How should sessions be managed? (the [Users](https://developers.google.com/appengine/docs/python/users/) service handled this very well)

3. What would the local development process be like? Would I need to have an internet connection to be able to use `dev_appserver.py`?

4. We rely heavily on the [`user_id`](https://developers.google.com/appengine/docs/python/users/userclass#User_user_id) property provided by the Users service. Can I rely on it having the same value when switching to OAuth2?

5. Any possible conflicts in other AppEngine services (ones that rely on Users service)?

6. Would the `login: required` flag in `app.yaml` still work as expected after migrating?

7. Are there plans on supporting proper OAuth2 authentication as a default option in AppEngine projects?

Also, the AppEngine docs seem to be out of date with regards to integrating with Marketplace.

[Mihail Russu]

Don't know if this is what you are looking for but I've successfully been using https://code.google.com/p/gae-simpleauth/ for OAuth2 authentication in combination with Users API. With some minor changes my users can link their manually registered accounts to Facebook and authenticate with either as well as use only Facebook. Also, not sure how to answer most of your answers but scopes are service dependent, i.e. they'd be different for Facebook/Google and working with Users API shouldn't be any different after OAuth2 and there shouldn't be any conflicts.

[Vinny P]

On Thu, Jul 17, 2014 at 9:58 PM, John Del Rosario <jo...@collabspot.com> wrote:

We're trying to put our app on Google Marketplace, and one of the requirements was to use OAuth2 for authentication. Unfortunately (and strangely), AppEngine doesn't have an option for this.

Also, the AppEngine docs seem to be out of date with regards to integrating with Marketplace.

You can't use the Users App Engine API with an Apps Marketplace application. A Marketplace application must implement SSO and cannot include a login step (which the Users API will show). See the note on this page (quoted below): https://developers.google.com/google-apps/marketplace/sso

Caution: Every Marketplace application should present an invocation flow that is free of an intermediate login step. The end user should never be asked to provide an ID and password. Applications that do not follow this flow will not be approved for listing in the Marketplace.

 

You can use Mihail's suggestion of a third-party auth library, or use the Google+ auth lib directly: https://developers.google.com/+/web/signin/

 

 

-----------------

-Vinny P

Technology & Media Consultant

Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com