We are migrating out applications from OpenID using UserService to OAuth2 / OpenID Connect to move our apps to the new Google Apps Marketplace.
We are using UserService.isAdmin() to check if a user is registered as admin for the GAE application.
How can we keep this functionality when moving to OAuth2 for login?
I don't think you can explicitly check who the admin is any other way.
It is rare that you would need to know the App Engine admin in a publicly-listed app. If the app is a general solution app, than aren't you the admin? Most developers care about the Domain Admin, which can be determined with the Admin SDK. If these is just for your own use, set the visibility options to your domain in the Chrome Webstore Developer Dashboard.
Related
I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.
I'm looking at migrating a JBOSS 4 application to Google's App Engine.
We have a role based login system at the moment, with administrators, domain admins and users.
Is it possible to migrate out user, password ,roles based system to GAE?
I can't find any documentation about it.
As outlined in the documentation, handlers can be protected by requiring login or admin user when Google accounts auth is used. Endpoints can be protected with OAuth.
Taking into account your app is using role based authentication, you should take care of its implementation to protect handlers. You may find this article useful to go ahead with your implementation.
I am really fed up. All I see the Google App Engine tutorial was just making the example on how to authenticate without password. What if I want to authenticate directly from my gmail account, how can I do it???
User the google provided users service which can use your google account for auth.
https://developers.google.com/appengine/docs/python/gettingstarted/usingusers
Google App Engine provides several useful services based on Google infrastructure, accessible by applications using libraries included with the SDK. One such service is the Users service, which lets your application integrate with Google user accounts. With the Users service, your users can use the Google accounts they already have to sign in to your application.
I am using dev_appserver.py to test my app locally. However, I can't login to it because Facebook restricts logins to only the app URL I provide in the Facebook setup, which is myappname.appspot.com.
It doesn't look like there's a way to authorize secondary referrers for Facebook apps. Are there any good workarounds for this?
My app relies almost entirely on Facebook data, so faking a login won't get me very far.
option 1) Edit your hosts file so that your registered domain points to 127.0.0.1
option 2) Register a secondary app ID on facebook that you will use for development purposes. Register this with the URL of localhost. Then switch which app ID you use prior to deployment to your production server.Given how common this problem is, it's shocking to me that the Facebook documentation isn't more explicit about the workaround. Other OAuth providers aren't any better though...
I have successfully followed the examples to gain an AuthSub token to authorize my GAE application to have access to the user's Google Calendar.
I have added the domain parameter to the method gdata.auth.generate_auth_sub_url so that the application is authenticated against a Google Apps Domain user. The app is then installed in one of our test domains.
This is working fine, however, each user in the domain has to go through the process of authorizing the app to use the calendar. In other Marketplace Apps that I have tried, this authorization is done once for the whole domain when the app is installed.
How is this achieved?
This page describes how Marketplace apps can access the gdata APIs on a user's behalf.