Only one choice for authentication in App Engine? - google-app-engine

In my new web application, I want to authenticate users by letting them sign in with their Google, Yahoo, Facebook, or LinkedIn accounts. Does App Engine's "Google+ Sign-In" capability allow this? If not, is there another platform (e.g. Heroku) that would let me write straightforward code that will accomplish this?
BACKGROUND: I can find nothing in the Google+ Sign-In documentation that talks about authenticating with any site other than Google.
However, various pages (this one and this one) show a Google+ Sign-In screen that also has a "Sign In With Facebook" button in screenshots, but it's not clear if this Facebook button is supported by App Engine's Google+ Sign-In API, or was hand-rolled with OAuth2. Same with the "Sign In With Twitter" button.
I believe that, even if OpenID Connect were available, neither Facebook nor Twitter would participate -- except that OpenID Connect is built on OAuth2, which would allow them to participate. However, App Engine has deprecated OAuth2 (see this page). So I am pretty confused about what is possible and what is not.

To support multiple authentication services (e.g. Google, Twitter, FB..) you should go with OAuth2.
One such library that works with GAE (for Java) is pac4j. It lets you authenticate and access users profiles.

Related

User authentication with Servlets on App Engine

I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.

What is the difference between "Google+ sign in" and "Federated Log-in" and "Google Users Service"?

I want to add social sign-in feature to my Google App Engine based application and hence want to add Google's authentication mechanism along with FB log-in.
I am confused because Google has provided at least 3 different ways to do this.
Google+ sign-in (https://developers.google.com/+/web/signin/server-side-flow)
Users service provided on Google App Engine
Federated Authentication (https://developers.google.com/appengine/articles/openid)
I would like to know which method is the most recent and which method is used widely?
Thanks,
Chandrashekhar
#1 Google+ Sign In allows users to log in via OAuth 2.0, but requires users to have Google Plus enabled. Google+ Sign In also provides additional functionality to the Google+ APIs such as sharing and social integration. However, you could just use standard OAuth 2.0 for login, which removes the Google+ requirement.
#2 Users Service is a Google App Engine API. It allows any user with a Google Account to login. This is different to OAuth 2.0 - it uses Googles standard login pages and you can use it right out of the box without having to configure any OAuth scopes etc. You can get going with this very quickly.
#3 Federated Login integrates the Open ID standard with the Google App Engine Users API. This allows your users to log in with an Open ID (ie credentials they have registered with an 'Open ID provider'), and you to use the standard Users Service API. There are many Open ID providers out there, including Google.
Your question states that you want to add a "social sign-in feature" along with "FB log-in". So, that basically rules #1 & #2 out. Unfortunately, Facebook (and Twitter) are not Open ID providers, so that kind of rules #3 out too. For these, you will need to implement their own authentication mechanisms (Facebook Login and Sign in with Twitter). There is a great boilerplate repo on GitHub that has some code (in python) to help you get going.

GAE : Yahoo, Google & Facebook login support

Over Google Application Engine, I want to add Yahoo, Google & Facebook login options for the users in my application.
Since Facebook does not support federated login using openid, how could I implement login option for all facebook, yahoo & google using JavaScript in my application?
Is OAuth only way to implement all three facebook, yahoo & google login options?
If Yes, is there any sample code to refer to implement using
a. java script + google cloud endpoints?
b. java servlets?
There are a variety of toolkits out there that should help you; for example, have a look at oauth.io. If you have to roll it yourself, talking to FB/G/Y at the raw HTTP/JSON level is not actually that hard. In the case of Google there’s the Google+ Sign-In widget that is pretty slick, and FB of course has similar stuff.
It’s not java servlet, but in https://code.google.com/p/favcolor-accountchooser/source/browse/rp.rb there’s Ruby source code for doing OAuth authentication to Google, FB, and Microsoft Live (but not Yahoo)

How to add Facebook/Twitter/LinkedIn login to Google App Engine project?

I've searched for solutions, but everything I can find seems mostly outdated.
We're using the Python API for GAE and creating login urls in the following manner:
users.create_login_url(continue_url, "Yahoo", "http://yahoo.com/"),
Which works fine for sites such as Google, Yahoo, Aol, Blogger, Flickr, etc... but we're aware that Facebook and Twitter don't work in this manner.
Can anyone show any examples of how to authenticate users on App Engine using Facebook, Twitter, and LinkedIn?
Thanks!
First, one has to register their application on Facebook and get an Application ID. Details:
Register here Facebook authentication overview
Then, I used the facebook python SDK, along with the facebook javascript api (which is the canonical way to do authentication with facebook). Here's a working example of authenticaion I used.
Direct link to the Facebook python SDK
Direct link to the Facebook Javascript SDK
If the service you want to sign in with doesn't support OpenID, you need to do it the same way you would on any other service: Set up your own sessions library, handle logins in a site-specific manner, and keep track of signed in user sessions using the session library.

federated login Vs. oauth on google app engine

i would like to provide a third party user authentication on my app engine app.
the federated login option on appengine is not exactly what I'm looking for and i can't see endpoints
what i want is authenticating users via openid like its done here on stackoverflow.
the first time a user has to authorize the app and the subsequent times it will only need to be logged in or log in again on the third party app and then redirected to my app.
my app is written in python and im using tornado web as a framework. i've seen that tornado has its own auth module i want to check out but i wanted to ask for suggestions before jumping into code.
basically i would like users to be able to log in via facebook, twitter and google.
the facebook authentication seems not to be that hard on graph.facebook.com but its not easy to test
authenticating via twitter looks more difficult to me and i can't find any clear examples.
i would love to hear your experiences/suggestions about it.
What you describe is exactly how federated login with OpenId works on App Engine. Whether or not users get prompted for authorization after the first login is up to the OpenId provider, not the consumer.
Facebook login doesn't use OpenID, and you'd need to implement that yourself, in conjunction with a sessions library to keep track of logged in Facebook users.

Resources