How to Migrate Yahoo users from OpenId to OAuth - google-app-engine

I'm using App Engine / java.
I need to migrate my Yahoo users from OpenID 2.0 to OAuth 2.0 login (OpenID Connect), because OpenID 2.0 Relying Party support for logging in with OpenID 2.0 accounts in to App Engine will be turned off.
For my Yahoo users, I have following information in my datastore:
federated identity: https://me.yahoo.com/a/...
email address
When I implement Sign-in with Yahoo using OAuth, I need to use the information provided by the OAuth process to identify the existing user in my datastore. However, the Yahoo OAuth process does not provide an open-id (Yahoo does not support OpenId Connect) and no email address.
So how can I migrate my existing Yahoo users from OpenId to OAuth? What is the common information between both mechanisms to make the link and perform the migration?
Remark: This works fine for Sign-in with Google, because Google supports OpenId Connect. In this case OpenId Connect / open-id == OpenId / federated identity, which makes it possible to migrate users.

One possible approach is to switch to Google Identity Toolkit which offers:
federated login handling specifics for a particular provider pretty much transparently for you
a way of gradually migrating users authenticated by a particular provider from your existing method to the GIT one, see the "Migrate an existing site in 5 steps" section.
The only drawback I see is the limited number of providers GIT supports (sweetened a bit by support for password-based authentication). Not an issue if the providers you're interested in, like Yahoo, are in the supported list.

Related

No more "google.appengine.api.users" on gae/py37 : how to identify logged user?

I used "gae.api.users" to check if the logged users was me (users.is_current_user_admin());-)
But this api is no more available. How can I do the same kind of thing with GAE/py37 ?
From the Users section of the Understanding differences between Python 2 and Python 3 on the App Engine standard environment guide:
The Users service is not available in Python 3. You can use any
HTTP-based authentication mechanism, such as:
Google Identity Platform, which provides many options for authentication and authorization of Google user accounts.
Firebase Authentication, which provides authentication using username/password and federated identity using Google, Facebook,
Twitter, and more.
Note: Because the Users service is not available, it is not possible to use app.yaml to make URLs accessible only by
administrators.

What is the difference between "Google+ sign in" and "Federated Log-in" and "Google Users Service"?

I want to add social sign-in feature to my Google App Engine based application and hence want to add Google's authentication mechanism along with FB log-in.
I am confused because Google has provided at least 3 different ways to do this.
Google+ sign-in (https://developers.google.com/+/web/signin/server-side-flow)
Users service provided on Google App Engine
Federated Authentication (https://developers.google.com/appengine/articles/openid)
I would like to know which method is the most recent and which method is used widely?
Thanks,
Chandrashekhar
#1 Google+ Sign In allows users to log in via OAuth 2.0, but requires users to have Google Plus enabled. Google+ Sign In also provides additional functionality to the Google+ APIs such as sharing and social integration. However, you could just use standard OAuth 2.0 for login, which removes the Google+ requirement.
#2 Users Service is a Google App Engine API. It allows any user with a Google Account to login. This is different to OAuth 2.0 - it uses Googles standard login pages and you can use it right out of the box without having to configure any OAuth scopes etc. You can get going with this very quickly.
#3 Federated Login integrates the Open ID standard with the Google App Engine Users API. This allows your users to log in with an Open ID (ie credentials they have registered with an 'Open ID provider'), and you to use the standard Users Service API. There are many Open ID providers out there, including Google.
Your question states that you want to add a "social sign-in feature" along with "FB log-in". So, that basically rules #1 & #2 out. Unfortunately, Facebook (and Twitter) are not Open ID providers, so that kind of rules #3 out too. For these, you will need to implement their own authentication mechanisms (Facebook Login and Sign in with Twitter). There is a great boilerplate repo on GitHub that has some code (in python) to help you get going.

How to use OAuth2 / OpenID Connect with UserService?

I'm running several apps on Google App Engine. I am using the UserService for Authentication to be able to send emails on behalf of the user etc. and OAuth2 for API authorization.
I am now trying to publish the apps on the Google Apps Marketplace, but I received an email telling me it is required to use OAuth2 for authentication.
As I am just using the supported Google stack I assume there is a way to meet the requirements for publishing my apps on the Google Apps Marketplace but right now I'm stuck.
This is similar to another question. The challenge is that the User service is using still using OpenID. You'll need to use a Client library to authenticate the user.
Here are good samples in Python & Java.
Currently we use Openid 2.0 for user authentication and Oauth for authorization of other services. Openid 2.0 is deprecated and Google will not provide authentication using Open Id. For time line refer this link https://developers.google.com/+/api/auth-migration#timetable
So they are suggesting to use OpenidConnect for authentication of user. OpenIdConnect is a layer written over Oauth 2.0 for authentication of user.
For references visit http://openid.net/connect/ and https://developers.google.com/accounts/docs/OAuth2Login?hl=ja#appsetup

Request extra permissions logging with google app engine

App engine has by default an integrated google sign in features, which gives back the current authenticated user email and ID (permission is asked to the user before).
I was wondering if the app engine has an option to extend to permissions asked to the user to include more scopes for examples (contact information, manage youtube account).
Or is it only possible via oauth authentication?
No, you can only do this via OAuth.
User API uses OpenID which does not support "scopes". OAuth does support scopes so you should use it if you need broader access to users profile.

Federated authentication and Delegated authentication in salesforce

Anybody know the difference between Federated authentication and Delegated authentication in salesforce? Can you explain the flow of request in these two methods?
The main difference is the use of Security Assertion Markup Language (SAML) on Federated Authentication.
Delegated Authentication Use delegated authentication if you have mobile users in your organization, or if you want to enable
single-sign on for partner portals or Customer Portals. You must
request that this feature be enabled by salesforce.com. This recipe
explains delegated authentication in more detail.
Federated Authentication using SAML Federated authentication uses SAML, an industry standard for secure integrations. Investing in SAML
with Salesforce.com can be leveraged with other products or services.
If you use SAML, you don't have to expose an internal server to the
Internet: the secure integration is done using the browser. In
addition, Salesforce.com never handles any passwords used by your
organization. For more information, see “Configuring SAML Settings for
Single Sign-On” in the Salesforce.com online help.
Difference
Delegated authentication has a few drawbacks with respect to federated authentication. First, delegated authentication is inherently **less secure than federated authentication**. Even if encrypted, delegated authentication still sends the username and password (possibly even your network password) over the internet to Force.com. Some companies have policies that preclude a third party for handling their network passwords. Second, delegated authentication **requires much more work for the company implementing it**. The Web services endpoint configured for the org must be developed, hosted, exposed on the Internet, and integrated with the company's identity store.
More detailed flow and code example on delegated
More detailed flow on SSO width SAML

Resources