How to use OAuth2 / OpenID Connect with UserService? - google-app-engine

I'm running several apps on Google App Engine. I am using the UserService for Authentication to be able to send emails on behalf of the user etc. and OAuth2 for API authorization.
I am now trying to publish the apps on the Google Apps Marketplace, but I received an email telling me it is required to use OAuth2 for authentication.
As I am just using the supported Google stack I assume there is a way to meet the requirements for publishing my apps on the Google Apps Marketplace but right now I'm stuck.

This is similar to another question. The challenge is that the User service is using still using OpenID. You'll need to use a Client library to authenticate the user.
Here are good samples in Python & Java.

Currently we use Openid 2.0 for user authentication and Oauth for authorization of other services. Openid 2.0 is deprecated and Google will not provide authentication using Open Id. For time line refer this link https://developers.google.com/+/api/auth-migration#timetable
So they are suggesting to use OpenidConnect for authentication of user. OpenIdConnect is a layer written over Oauth 2.0 for authentication of user.
For references visit http://openid.net/connect/ and https://developers.google.com/accounts/docs/OAuth2Login?hl=ja#appsetup

Related

User authentication with Servlets on App Engine

I'm new to web dev, and trying to build an application using google app engine's java standard environment, which will require user authentication. I'd like to provide authentication which requires only a username and password of the user, as opposed to a phone number or social account.
As I look through the options listed in app engine's auth tutorial, if I'm understanding them correctly, none of them allow login without a phone number or social account? https://cloud.google.com/appengine/docs/standard/java/oauth/
If so, are there alternatives available while still using app engine? I've read some about 'web container managed authentication' but I'm not sure if its something app engine will support, or if its a full solution.
Is it possible/feasible to roll fully custom authentication in the app engine standard environment? As I search for custom authentication tutorials I see a lot of articles recommending against this, but it's not clear to me what the alternative is.
Thanks for any information
As it's mention on the OpenID Connect documents of Google Cloud, it's important for you and your users security to authenticate using well proven and debugged code. Google offers Firebase Authentication which let's users log in with an Email and password.
If you still want to implement the authorize part on your own, you can use your preferred web framework and probably it will have an authorizing process.
For example, in python you can use Django authorize system to provide users for a custom way to log in.
But, as I said before, I highly recommend you to use the Google APIs for authorizing as they are OpenID certificated.

Authenticating GWT-RPC calls with Google Identity Toolkit for Java

I have a GWT-based app deployed on Google App Engine (Java). The app uses Google Account for authentication as described here: https://cloud.google.com/appengine/docs/java/users/ and uses GWT-RPC for communicating with the backend services. I use GAE's UserService to get the user object (and email ID) in my RemoteServiceServlet.
Now I want to replace Google Account with Google Identity Toolkit (GIT) so that I can offer more login options (Email, Google, Facebook etc.) to my users. I have created a small GAE-based sample application (non-GWT) using GIT and it works well. I used the GitKitClient library for Java to do the OAuth token authentication and get the user profile on the server.
But I'm wondering how GIT would work with GWT-RPC. Would the GAE UserService still work in my RemoteServiceServlet if I switch to GIT for login (instead of Google Account)? Or do I need to do the OAuth token authentication in my RemoteServiceServlet using the GitKitClient as I do in my non-GWT sample app?
I'm very new to GIT and OAuth and would appreciate any help on this matter.
Thanks.
GAE UserService does not recognize the Google Identity Toolkit token. You need to use the Google Identity Toolkit Java library to validate the Google Identity Toolkit token in your RemoteServiceServlet, in the same way as you already implemented in your sample GAE app.

How to Migrate Yahoo users from OpenId to OAuth

I'm using App Engine / java.
I need to migrate my Yahoo users from OpenID 2.0 to OAuth 2.0 login (OpenID Connect), because OpenID 2.0 Relying Party support for logging in with OpenID 2.0 accounts in to App Engine will be turned off.
For my Yahoo users, I have following information in my datastore:
federated identity: https://me.yahoo.com/a/...
email address
When I implement Sign-in with Yahoo using OAuth, I need to use the information provided by the OAuth process to identify the existing user in my datastore. However, the Yahoo OAuth process does not provide an open-id (Yahoo does not support OpenId Connect) and no email address.
So how can I migrate my existing Yahoo users from OpenId to OAuth? What is the common information between both mechanisms to make the link and perform the migration?
Remark: This works fine for Sign-in with Google, because Google supports OpenId Connect. In this case OpenId Connect / open-id == OpenId / federated identity, which makes it possible to migrate users.
One possible approach is to switch to Google Identity Toolkit which offers:
federated login handling specifics for a particular provider pretty much transparently for you
a way of gradually migrating users authenticated by a particular provider from your existing method to the GIT one, see the "Migrate an existing site in 5 steps" section.
The only drawback I see is the limited number of providers GIT supports (sweetened a bit by support for password-based authentication). Not an issue if the providers you're interested in, like Yahoo, are in the supported list.

RestTemplate with basic authentication on Google App Engine

I have develop a Spring MVC Rest service on Google App Engine with Spring Security 3.1.
Since the service will be available only to my other apps, I have a basic authentication setup with predefined username and password.
Now, I have a client developed with RestTemplate. But I am not able to find a way to access my services securely with username and password, sent via RestTemplate.
I have gone through many articles, but most are using Apache HttpClient (not supported by google appengine).
SO, is there any alternatives to getting what i want on google appengine.
You can try the Basic Auth with URLFetch as this is supported by google, though you want to have the ssl enabled to for use Basic Auth.
You might want to see at this link, though not for appengine but should be good.
http://www.jpalace.org/docs/technotes/spring/rest-security.html

GAE Golang - OAuth and OAuth2?

I'm trying to implement a Google App Engine Go application that will be using OAuth and OAuth2 for users logging in. I'm wondering if it is possible, and if so, how to do it? Can someone provide an example of this?
You can use goauth2 to implement an OAuth2 client on App Engine
You can then log your users with their Google Account by requesting https://www.googleapis.com/auth/userinfo.profile scopes as shown on Using OAuth 2.0 for Login

Resources