OpenId "reference" implementation

772 views
Skip to first unread message

Roberto

unread,
May 28, 2010, 5:41:05 AM5/28/10
to Google App Engine
Hi All,

I am starting to migrate my existing Python GAE app from Google
Account to OpenId authentication.

I would like to know if a "reference implementation" of a GAE app
using OpenId authentication is available.

Thanks
Roberto

Robert Kluin

unread,
May 28, 2010, 11:31:24 AM5/28/10
to google-a...@googlegroups.com
Hi Roberto,
I have not tried it personally yet, but I think OpenID
authentication is supposed to behave basically the same as Google
Accounts authentication. Several people have posted that you only
need to switch, and existing 'stuff' should continue working.

Have you seen something different?

Robert

> --
> You received this message because you are subscribed to the Google Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
>
>

Scott Ellis

unread,
May 28, 2010, 1:29:54 PM5/28/10
to google-a...@googlegroups.com
I have.

I turned on openid auth in the app engine console, and without any changes to my app I got a redirect loop (for the '/' url which is set to login:required in app.yaml):

This webpage has a redirect loop.

The webpage at http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/_ah/login_required?continue=http://wassuptime.appspot.com/ has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

I tried clearing my cookies...no effect.

I tried implementing a handler for _ah/login_required, which serves up the page I told it to...but I can't figure out from the docs how to take the open id URL the user can enter there, and feed it into GAE so I can use get_current_user(). That is, if I serve up a form, what should the action attribute contain as the target URL, and what fields does the form need to have? Or alternatively, if I add a handler for the form submission, what do I need to do in app engine so that the user is signed in? Am I missing something?

Any help would be appreciated.

Scott


Scott Ellis

unread,
May 28, 2010, 1:39:07 PM5/28/10
to google-a...@googlegroups.com
Oh...maybe this is just a bad time to try?

Scott Ellis

unread,
May 28, 2010, 2:04:37 PM5/28/10
to google-a...@googlegroups.com
It says in the docs for 'create_login_url' that if I provide federated_identity then "the user will be redirected to your app's sign-in page for OpenID"...is this something different to the page provided by the handler for _ah/login_required? Does it mean that I should not be serving up a form, but rather a page full of links (for different providers) created using 'create_login_url'?

Ross M Karchner

unread,
May 28, 2010, 2:11:53 PM5/28/10
to google-a...@googlegroups.com
Yeah, that's what you need to do if you plan on giving people provider choices.

You could do it that way, or you could accept the openID url as form input,  do the create_login_url, and redirect to the generated URL.

Scott Ellis

unread,
May 28, 2010, 2:17:03 PM5/28/10
to google-a...@googlegroups.com
Thanks.

On 5/29/10, Ross M Karchner <rosska...@gmail.com> wrote:
> Yeah, that's what you need to do if you plan on giving people provider
> choices.
>
> You could do it that way, or you could accept the openID url as form input,
> do the create_login_url, and redirect to the generated URL.
>
> On Fri, May 28, 2010 at 2:04 PM, Scott Ellis <ma...@scottellis.com.au> wrote:
>
>> It says in the docs for 'create_login_url' that if I provide
>> federated_identity then "the user will be redirected to your app's sign-in
>> page for OpenID"...is this something different to the page provided by the
>> handler for _ah/login_required? Does it mean that I should not be serving
>> up
>> a form, but rather a page full of links (for different providers) created
>> using 'create_login_url'?
>>
>>
>> On 29 May 2010 03:39, Scott Ellis <ma...@scottellis.com.au> wrote:
>>
>>> Oh...maybe this is just a bad time to try?
>>>
>>>
>>> On 29 May 2010 03:29, Scott Ellis <ma...@scottellis.com.au> wrote:
>>>
>>>> I have.
>>>>
>>>> I turned on openid auth in the app engine console, and without any
>>>> changes to my app I got a redirect loop (for the '/' url which is set to
>>>> login:required in app.yaml):
>>>>
>>>> This webpage has a redirect loop.
>>>>

>>>> The webpage at *

>>>> * has resulted in too many redirects. Clearing your cookies for this


>>>> site or allowing third-party cookies may fix the problem. If not, it is
>>>> possibly a server configuration issue and not a problem with your
>>>> computer.
>>>> I tried clearing my cookies...no effect.
>>>>
>>>> I tried implementing a handler for _ah/login_required, which serves up
>>>> the page I told it to...but I can't figure out from the docs how to take
>>>> the
>>>> open id URL the user can enter there, and feed it into GAE so I can use
>>>> get_current_user(). That is, if I serve up a form, what should the
>>>> action
>>>> attribute contain as the target URL, and what fields does the form need
>>>> to
>>>> have? Or alternatively, if I add a handler for the form submission, what
>>>> do
>>>> I need to do in app engine so that the user is signed in? Am I missing
>>>> something?
>>>>
>>>> Any help would be appreciated.
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Google App Engine" group.
>> To post to this group, send email to google-a...@googlegroups.com.
>> To unsubscribe from this group, send email to

>> google-appengi...@googlegroups.com<google-appengine%2Bunsu...@googlegroups.com>


>> .
>> For more options, visit this group at
>> http://groups.google.com/group/google-appengine?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.
>
>

--
Sent from my mobile device

Roberto

unread,
May 28, 2010, 5:13:20 PM5/28/10
to Google App Engine
Hi Robert,

I guess I just missed the "/_ah/login_required" script.
Now I wrote a very simple page where you can choose among a few
providers and it actually works.

My concern was about having done everything needed to meke the
application compatible with openid, is the login_required script/page
the only missing components (actually not missing but left to the
developer) from the GAE SDK ?

Thanks
Roberto

Robert Kluin

unread,
May 28, 2010, 6:55:00 PM5/28/10
to google-a...@googlegroups.com
Hey Roberto,
It is as far as I know, but I have not had a chance to play with
OAuth on GAE yet.

Robert

Wesley C (Google)

unread,
May 28, 2010, 10:18:38 PM5/28/10
to google-a...@googlegroups.com
hey all,

just an FYI that our team is working on an OpenID article to
complement the online docs that have more explanations and example
code... stay tuned!

-- wesley
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Core Python Programming", Prentice Hall, (c)2007,2001
"Python Fundamentals", Prentice Hall, (c)2009
   http://corepython.com

wesley.j.chun :: wesc+api-at-google-dot-com
developer relations :: google app engine
@app_engine :: googleappengine.blogspot.com

Scott Ellis

unread,
May 29, 2010, 12:02:51 AM5/29/10
to google-a...@googlegroups.com
Is that redirect loop expected behavior?


--

Scott Ellis

unread,
May 30, 2010, 6:10:39 AM5/30/10
to google-a...@googlegroups.com
Thanks wesley. I'm sure you're on to it, but Google Apps accounts and Marketplace integration examples would be more than useful.

On 29 May 2010 12:18, Wesley C (Google) <wesc...@google.com> wrote:

--

l.denardo

unread,
May 31, 2010, 3:20:40 AM5/31/10
to Google App Engine
I found the same error in Java: it's due to the way that login URL is
generated, which is different for pages with "required login" and
pages out of this constraint.
If a page is under security constraint login always redirects to _ah/
login_required, even if that is the uri you're requesting. Otherwise
login link is correct.

You should be able to get around it by simply removing _ah/
login_required from the list of urls for which you state a security
constraint (in Java, this means removing _ah/login_required from the
url-pattern list in the web-resource-collection of web.xml.

By the way there's a similar issue with logout, I posted something on
this group.

I hope this helps

Lorenzo

On May 30, 12:10 pm, Scott Ellis <m...@scottellis.com.au> wrote:
> Thanks wesley. I'm sure you're on to it, but Google Apps accounts and
> Marketplace integration examples would be more than useful.
>
> On 29 May 2010 12:18, Wesley C (Google)
> <wesc+...@google.com<wesc%2B...@google.com>
>
> > wrote:
> > hey all,
>
> > just an FYI that our team is working on an OpenID article to
> > complement the online docs that have more explanations and example
> > code... stay tuned!
>
> > -- wesley
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > "Core Python Programming", Prentice Hall, (c)2007,2001
> > "Python Fundamentals", Prentice Hall, (c)2009
> >    http://corepython.com
>
> > wesley.j.chun :: wesc+api-at-google-dot-com
> > developer relations :: google app engine
> > @app_engine :: googleappengine.blogspot.com
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google App Engine" group.
> > To post to this group, send email to google-a...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > google-appengi...@googlegroups.com<google-appengine%2Bunsu...@googlegroups.com>
> > .

Scott Ellis

unread,
May 31, 2010, 5:47:04 AM5/31/10
to google-a...@googlegroups.com
Thanks Lorenzo, but I had no security constraint on _ah/login_required at that time. I got the redirection loop when I didn't handle the _ah/login_required pattern at all (as I mentioned - no change to the app, just flipped the 'openid' switch in the admin console) - which I know is contrary to the documentation. Nevertheless it was surprising (an override-able default handler would be nice :) and I wondered if it is to be expected, or if something else might have gone wrong. I guess behaviour is undefined when you don't follow instructions.

To unsubscribe from this group, send email to google-appengi...@googlegroups.com.

Scott Ellis

unread,
May 31, 2010, 6:01:47 AM5/31/10
to google-a...@googlegroups.com
Ah sorry I get it - the /_ah/login_required pattern is caught by the '/' handler...gotcha. Hard to make a 'nice' default behaviour for that one then I guess. Cheers.

l.denardo

unread,
May 31, 2010, 8:26:14 AM5/31/10
to Google App Engine
That's what I was meaning...still my low-level English doesn't help to
explain :-)

What I did was to deploy a servlet in _ah/login_required, which
generated login URL (assuming Google as an openID provider) and
redirected to it using standard servlet redirection.

I had /* pattern in security-constraint resource list to require login
for all pages in my application, and so caugth also /_ah/ under
security constraint: that led to the UserService generate login
methods to return _ah/login_required as a login url, and so I got
stuck in a redirection loop. My servlet was in fact redirecting to its
own address.

Removing _ah/login_required from the pages under security constraint
(that is, using explicit paths for the pages I had in my app instead
of /*) resolved it. UserService generates the correct login url when
called from the servlet.

I hope this is clearer

Regards
Lorenzo

Scott Ellis

unread,
Jun 5, 2010, 8:59:05 AM6/5/10
to google-a...@googlegroups.com
Some working example code at http://github.com/sje397/Chess

App at http://your-move.appspot.com

Also includes certificate based OAuth for gdata access (e.g. google contacts).

Tom Wu

unread,
Jun 5, 2010, 1:44:53 PM6/5/10
to google-a...@googlegroups.com
Great !


2010/6/5 Scott Ellis <ma...@scottellis.com.au>
Reply all
Reply to author
Forward
0 new messages