I would like to migrate my app from google account login to federated login. My app requires a user's email address to function properly.
If a user uses a major identity provider (Google, Facebook, Yahoo, etc.), is it possible that a user could login but not allow my app to access his or her email address?
I could ask the user to provide an email address, but I would need to send an email to that address to confirm, have the user click on a link, etc. I would rather avoid that procedure.
Normally OpenID Attribute Exchange can be used to request special user attributes, like email.
Appengine uses AE internally to request users email, but not other parameters (name, etc). Also GAE does not give you an option to request other parameters.
So you should get users email via federated login, but this depends on OpenID provider and they are not guaranteed to provide it always.
So there are multiple solutions to this:
Only allow certain OpenID providers that provide user's email.
If provider provides email, use it, otherwise require user to provide one.
Alternatively, you could use OAuth 2.0 instead and request users profile. This gets you users details including email in most cases (Google, Facebook), but not always (Twitter). So you'd still need to do 1. or 2. in addition to login. The upside is that you'd have support for Facebook which is pretty widespread.