Search code examples
pythongoogle-app-engineoauth-2.0google-oauthgoogle-apps-marketplace

Use OAuth2 for authentication + compatibility with google.appengine.api.users service

We're trying to put our app on Google Marketplace, and one of the requirements was to use OAuth2 for authentication. Unfortunately (and strangely), AppEngine doesn't have an option for this.

Right now, we are using OpenID for authentication. I've been trying to find resources online, but have failed in finding a definitive guide on how to do this properly.

My concerns are:

  1. What scope should I use?
  2. How should sessions be managed? (the Users service handled this very well)
  3. What would the local development process be like? Would I need to have an internet connection to be able to use dev_appserver.py?
  4. We rely heavily on the user_id property provided by the Users service. Can I rely on it having the same value when switching to OAuth2?
  5. Any possible conflicts in other AppEngine services (ones that rely on Users service)?
  6. Would the login: required flag in app.yaml still work as expected after migrating?

Also, it would be great if we could keep on using the Users service.

EDIT: Slightly off-topic, but I think the AppEngine docs for the Users service needs to be updated. It still says "supporting OpenID is a powerful way to integrate your app with Google App Marketplace", which isn't the case anymore.

Solution

  • You have lots of questions asked, so I'll address only the ones I know the answers to (after migrating our own app from OAuth1 to OAuth2).

    Note: The thing I want to stress most about this issue, and which was the Aha Moment for me is: Accessing the APIs to which you got access from user after he installed your GAM app could be completely separated from the end user access to your app. I.E. After you got permissions from the domain admin for your app (after he installed it) you can use your App Engine service account to access all the APIs, from the server side. You use the users API only when users access your app. Thus, complete separation. With that said, here are my insights.

    1. The scopes you're going to use depend on the services you require. I couldn't find a definite mapping from old scopes to new ones - you'll have to test stuff with https://developers.google.com/oauthplayground/ I also recommend setting up a test app, for OAuth testing only.

    2. As far as our app is concerned, sessions are managed as usual, you have the usual User object and work with it as you'd expect. The interaction with Google APIs is done via an App Engine service account. Which in simpler word means, you manage user access and permissions to your app using the users api, and Google manages access to it's APIs using the tokens generated with the service account and the admin's emails. (This issue is a post on it's own)

    3. I'm not sure what you mean by that one.

    4. The users API should work as expected.

    5. We haven't had any (surprisingly!), but I guess that depends on your implementation

    6. login: required should work as expected as it works in the same manner as the users api