Search code examples
javagoogle-app-engineopenidgoogle-openid

App Engine Java federated identity login always redirects to Google login

I am having trouble implementing federated login in Google AppEngine Java. https://developers.google.com/appengine/articles/openid

I am getting the users service and getting current user. If the current user is null, then I will ask user service to create a login url with the open id provider of my choice(eventually, user will be allowed to choose). Here's the code snippet

UserService userService = UserServiceFactory.getUserService();

User user = userService.getCurrentUser();

if(user == null)
{
    userService.createLoginURL(request.getRequestURI(),null,"yahoo.com",null);
    //do a redirect
}

The third parameter of the method UserService.createLoginURL(....), is federatedIdentity(see here). For this argument, I have so far used the values "yahoo.com", "http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds", "https://openid.stackexchange.com/" and all the time, I am being redirected to Google account's login page. I have also noticed that the url in returned with these arguments is a little different than the one generated with no parameters.

I think I am doing some mistake here, but am not able to figure out where. What exactly should be passed to that parameter so user can be redirected to the respective provider's login page? For example, yahoo, stackoverflow, facebook, etc.

As an extended question, I believe that once the user is authenticated and sought approval, App Engine will automatically return that user via UserService.getCurrentUser() when asked next time. Am I correct?

For the record, I have set the 'Authentication Type' to 'Federated Login' in the Application settings.

Update 12/5/12: I went with openid4java. It has direct example provided as a sample in the distribution, which work like a charm on app engine.

Solution

  • This is probably not what you want to hear, but we have been there and abandoned OpenID for OAuth 2. I am aware that OpenID is meant for authentication and OAuth for authorization (see this other question), but in real life people are just using OAuth for both.

    We went with Scribe and are very happy with it. Note that this means rolling your own authentication solution and probably limiting your list of providers, as each one does things differently.