I'm looking at migrating a JBOSS 4 application to Google's App Engine.
We have a role based login system at the moment, with administrators, domain admins and users.
Is it possible to migrate out user, password ,roles based system to GAE?
I can't find any documentation about it.
As outlined in the documentation, handlers can be protected by requiring login or admin user when Google accounts auth is used. Endpoints can be protected with OAuth.
Taking into account your app is using role based authentication, you should take care of its implementation to protect handlers. You may find this article useful to go ahead with your implementation.
Related
I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.
I used "gae.api.users" to check if the logged users was me (users.is_current_user_admin());-)
But this api is no more available. How can I do the same kind of thing with GAE/py37 ?
From the Users section of the Understanding differences between Python 2 and Python 3 on the App Engine standard environment guide:
The Users service is not available in Python 3. You can use any
HTTP-based authentication mechanism, such as:
Google Identity Platform, which provides many options for authentication and authorization of Google user accounts.
Firebase Authentication, which provides authentication using username/password and federated identity using Google, Facebook,
Twitter, and more.
Note: Because the Users service is not available, it is not possible to use app.yaml to make URLs accessible only by
administrators.
We are migrating out applications from OpenID using UserService to OAuth2 / OpenID Connect to move our apps to the new Google Apps Marketplace.
We are using UserService.isAdmin() to check if a user is registered as admin for the GAE application.
How can we keep this functionality when moving to OAuth2 for login?
I don't think you can explicitly check who the admin is any other way.
It is rare that you would need to know the App Engine admin in a publicly-listed app. If the app is a general solution app, than aren't you the admin? Most developers care about the Domain Admin, which can be determined with the Admin SDK. If these is just for your own use, set the visibility options to your domain in the Chrome Webstore Developer Dashboard.
App engine has by default an integrated google sign in features, which gives back the current authenticated user email and ID (permission is asked to the user before).
I was wondering if the app engine has an option to extend to permissions asked to the user to include more scopes for examples (contact information, manage youtube account).
Or is it only possible via oauth authentication?
No, you can only do this via OAuth.
User API uses OpenID which does not support "scopes". OAuth does support scopes so you should use it if you need broader access to users profile.
I have an appengine application that allows users to register themselves. These users must be able to send e-mail from a google apps domain. To do this, I want the appengine application to use the provisioning API to create new users in the apps domain.
I could of course create a custom administrative account for the apps domain. Then I could use a normal gdata.apps.client.ClientLogin. However, that would also mean that the userid and password are stored in source code or in the application.
Is it possible to tell the apps domain that the appengine's service account (its app_identity account) is an administrator for the apps domain?
If that's not possible, any tips on how I can secure the userid and password in the appengine application?
Hans Then
As far as I can tell what I want is not possible. I'll have to setup a userid and password in my apps account and login using that.
You'll need to use 3 legged oauth for authentication with provisioning api. Here's some docs https://developers.google.com/gdata/docs/auth/oauth#Examples