Re: [google-appengine] OAuth and OAuth 2.0

[alex]

Hey Daniel,

If you're trying to access your own app deployed on production
servers, it's already available: see appcfg.py --oauth2. Look inside
appcfg.py - there's a specific scope for that. Off the top of my head,
it must be something like
"https://www.googleapis.com/auth/appengine.admin" but I'm not sure.
Though, if I'm not mistaken, it currently authorizes for the whole app
(all or nothing, i.e. as an admin).

Otherwise, if you're talking about an app exposing some kind of API to
external parties, OAuth 2.0 is available within Endpoints service,
which is currently under trusted tester program. You can sign up here:
http://endpoints-trusted-tester.appspot.com/

-- alex

On Wed, Sep 26, 2012 at 7:23 PM, Daniel Perry <danie...@gmail.com> wrote:
> Hi,
> As I can't seem to get help regarding my failure to use OAuth 1.0 to access
> my appengine application, are there plans to add OAuth 2.0 support to enable
> authentication using this method? Or, perhaps, if such support already
> exists, how do I get the correct key for authenticating an installed
> application to use my appengine servlet?
> The use of OAuth 1.0 appears to be deprecated but still operational, but I
> would prefer 2.0, in any case.
> Thanks,
> Daniel
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-appengine/-/N63R_R7OgWsJ.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.

[YF CAO]

how deploy my own app to google+ platform ?

2012/9/27 alex <al...@cloudware.it>

[Daniel Perry]

Hi Alex,

Thanks for your comment. 

I am trying to access my own app deployed on production servers.

However, my application is a java application so the scope is in the web.xml, as far as I understand.

I can set the scope for only part of the application, too.

However, I'm trying to authenticate a user using an installed application, not a web page. For this I need a secret key.

These are available when registring to use a google service like, in my case, the prediction API. I'm unable to figure out how to get OAuth 2.0 secrets for my appengine app. I can register to get OAuth 1.0 secret and key but, as I wrote in a previous post, I failed to complete the OAth 1.0 dance successfully.

Have you previously used OAuth 2.0 from an installed application?

Thanks,

Daniel

[alex]

I think you mixing up a couple things here: (1) you want to
authenticate users agains your app; (2) you want to call external
services like Predictions API (presumably on behalf of your users?).

There are built-in Users API and OAuth (only 1.0; 2.0 is within the
trusted testers like I mentioned) services available for doing (1). Or
you can do your own custom solutions, like username/password.

For doing (2), you should probably take a look at
https://developers.google.com/accounts/docs/OAuth2InstalledApp but
again, this has nothing to do with (1) unless you require all your
users to have a Google account. If impersonating a user is not what
you really want then probably Service accounts is what you're looking
for: https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Though, I think the best thing is to ask folks at OAuth 2.0 forum:
https://groups.google.com/forum/#!forum/oauth2-dev
Sorry if I misunderstood what you're actually trying to do.

-- alex

> https://groups.google.com/d/msg/google-appengine/-/_PKJrhm5AR4J.

[Daniel Perry]

Hi Alex,

I might be mixing up things but the reference to the Prediction API was only used to explain I need an installed application secret in order to use OAuth 2.0 to authenticate users against my app.

I am able to call the Prediction API on behalf of my users and, in fact, I did, for a while but have abandoned it for the time being. I have no issues with type of call, it works file.

I don't think what I'm trying to do is to expose an API. All I'm trying to do is to allow the application's admins, who have registered google accounts, to access an administration servlet of my app.

I will look at the OAuth 2.0 under the trusted testers program and see is it answers my problem.

Thanks,

Daniel

[Daniel Perry]

Hi Alex,

I looked at the OAuth 2.0 under the trusted testers, it refers, as far as I can understand, to the generation of an API for use by users of my application.

What I'm trying to do is much more simple, in my opinion.

Allow the application's administrators only (added using the "permissions" option of the admin console) to access one of the application's servlets.

I can achieve this if I run everything through a browser which performs the authentication and stores a cookie with the account data. However, I'm trying to do this without the browser from a PC application (written in Delphi, in my case).

The more I read about OAuth 1.0 and 2.0, I get more confused. Shouldn't I be able to use OAuth to replace the process the browser does in the background with the help of cookies to perform authentication?

I can try and follow up on this on the OAuth forum but I think I need some appengine specific information like how to obtain the client_id and secret required for OAuth 2.0 for my appengine application.

Thanks,

Daniel

[alex]

Then what you need is exactly this, I guess:

1. Go to https://code.google.com/apis/console, create a new project if
you don't have one. Switch to API Access tab and create client ID and
secret choosing *Installed application* (this is important).

2. Read the whole thing here:
https://developers.google.com/accounts/docs/OAuth2InstalledApp and
whenever you see "scope" parameter mentioned, you should set its value
to "https://www.googleapis.com/auth/appengine.admin".

Also, there are quite a few links to client libraries if you don't
want to do it from scratch, but I don't believe there's one for
Delphi. At least not from Google. Sorry, I was programming in Delphi
like 20 years ago so I'm pretty sure my knowledge is useless.

> https://groups.google.com/d/msg/google-appengine/-/JYCT32jC1acJ.

[Daniel Perry]

Hi Alex,

Thanks, I haven't had a chance to check it out yet but it feels like this is the answer I was looking for. I am able to create the project and get the client ID and secret. I have all the delphi side of things figured out, that is not a problem although I, too, have returned to it after about that many years... :-)

One last question, when defining the new project in the apis console, the domain is locked to my company's domain. Is this OK although the appengine application's domain is appspot.com? 

It seems to me the api console does not "know" my xxxx.appspot.com  or its authorized administrators.  

Should the project ID I define in the apis console be xxxx.appspot.com with the exact same name as my appengine project in order to link between the two?

Thanks,

Daniel

[alex]

Yes, it's ok for the auth thing. I mean, it doesn't matter. The only
difference is, you won't be able to add to the team members list
people outside of your custom domain.

What I sometimes do when I know I might be adding someone outside of a
custom domain, I create a project using my @gmail.com account, then
add my other account of a custom domain as administrator. You can then
enable billing from your custom domain account and even remove the
original @gmail.com account which you'd initially created a project
with.

-- alex

> https://groups.google.com/d/msg/google-appengine/-/IRCD1VHoEPQJ.

[Daniel Perry]

Thanks, that is a good tip.

I will try it all and post my results.

Thanks,

Daniel