Google Account IDs differ between OAuth2 and GoogleAppsEngine User API - google-app-engine

I have problems replacing an old app because the IDs of Google Accounts differ between the different login options offered by Google.
Old app: Standard GoogleAppsEngine Java 8 Application using GAE User API
New app: Nest.js app deployed to CloudRun using Google OAuth2 via passport.js
I verified with many different emails (personal Gmail and GSuite) that both login methods return different Google User IDs - even if the documenation and other resources claim it's unqiue forever and accross login methods.
Obviously I would have expected that the Google Account IDs are independent of the login method.
Is there any way to match or migrate from the old to the new method?

Related

How to perform authentication with Google Cloud Endpoints?

We are migrating part of our web app to a native mobile app (iOS and Android). We store all user info in our own database, including authentication info (username & pwd). We have a REST API for use by mobile apps and are trying to implement that in Google Cloud Endpoints.
We use an API key for identifying the app.
We want to also authenticate each user. The app will request the username and pwd and then pass that through the REST API. Our backend will confirm (by looking up the username/pwd in the db) if the user is valid. Ideally, at this point we would return a JWT.
Can this be done? The GCE documentation talks about authenticating Google users, and Facebook users. We don't want that. We don't want to use Firebase (unless a custom mechanism can be set up to authenticate). We will manage accounts. We will check if the username and pwd provided (through the app) identifies a valid user.
In trying to use a backend based on Google App Engine Standard and ESPv2, the documentation states that IAP must be enabled. IAP appears to authenticate users in a way we don't want. We want to authenticate users based on the username and pwd they provide and that we manage. Can this be done?
Any pointers would be greatly appreciated.
Thank you.

User authentication with Servlets on App Engine

I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.

What is the difference between "Google+ sign in" and "Federated Log-in" and "Google Users Service"?

I want to add social sign-in feature to my Google App Engine based application and hence want to add Google's authentication mechanism along with FB log-in.
I am confused because Google has provided at least 3 different ways to do this.
Google+ sign-in (https://developers.google.com/+/web/signin/server-side-flow)
Users service provided on Google App Engine
Federated Authentication (https://developers.google.com/appengine/articles/openid)
I would like to know which method is the most recent and which method is used widely?
Thanks,
Chandrashekhar
#1 Google+ Sign In allows users to log in via OAuth 2.0, but requires users to have Google Plus enabled. Google+ Sign In also provides additional functionality to the Google+ APIs such as sharing and social integration. However, you could just use standard OAuth 2.0 for login, which removes the Google+ requirement.
#2 Users Service is a Google App Engine API. It allows any user with a Google Account to login. This is different to OAuth 2.0 - it uses Googles standard login pages and you can use it right out of the box without having to configure any OAuth scopes etc. You can get going with this very quickly.
#3 Federated Login integrates the Open ID standard with the Google App Engine Users API. This allows your users to log in with an Open ID (ie credentials they have registered with an 'Open ID provider'), and you to use the standard Users Service API. There are many Open ID providers out there, including Google.
Your question states that you want to add a "social sign-in feature" along with "FB log-in". So, that basically rules #1 & #2 out. Unfortunately, Facebook (and Twitter) are not Open ID providers, so that kind of rules #3 out too. For these, you will need to implement their own authentication mechanisms (Facebook Login and Sign in with Twitter). There is a great boilerplate repo on GitHub that has some code (in python) to help you get going.

Update google spreadsheet using python client API on GAE app

I've got a google spreadsheet owned by a GAE service account and I want my GAE Python app to update a cell in one of the rows.
Based on some reading, these are my findings:
the spreadsheets service is old-school. It's a Google Data API and most Google services are now on the Google API platform. For Google API services, one can use a service account to do two-legged oauth2 access, but not for Google Data API services. Oh, it seems one can do two-legged oauth on Google Data API services, but only if the app is on a Google Apps domain (which mine isn't)
I could implement a similar effect (i.e. a user of the app can use data in my spreadsheet and doesn't need to login or authorize in any way) by using my personal account. There's a complicated way that involves me to authorize the app once, store the token and reuse it when a user uses the app. There's another way, which is to use client login (i.e. I embed my personal login and password in the code and use it to authorize the app to access the data in my spreadsheet)
This latter approach seems fairly safe as well, but of course I must be very careful that my source code will not be exposed. The authorization is between the GAE app and the Google Data Spreadsheets API, so the actual user's machine is not involved at all.
My spreadsheet is owned by the service account and shared with my personal account.
Note that my app is also using the Google Drive API (to access some personal Drive files, also shared between me and the GAE service account), so for that it will authorize using the service account.
Can someone confirm that my findings are correct and this approach is sound?
You can use gdata.spreadsheets.client (Google Data API) on the OAuth2 (Google API platform) flow.
https://github.com/HatsuneMiku/googleDriveAccess
It uses 'oauth2client-gdata-bridge'.

Google App Engine authentication with password

I am really fed up. All I see the Google App Engine tutorial was just making the example on how to authenticate without password. What if I want to authenticate directly from my gmail account, how can I do it???
User the google provided users service which can use your google account for auth.
https://developers.google.com/appengine/docs/python/gettingstarted/usingusers
Google App Engine provides several useful services based on Google infrastructure, accessible by applications using libraries included with the SDK. One such service is the Users service, which lets your application integrate with Google user accounts. With the Users service, your users can use the Google accounts they already have to sign in to your application.

Resources