In Google App Engine, you can create User objects with any email adress. These accounts will just not be conected with a google account. Is there a way to set the current user to such a user, without rolling my own session management, or using sessions from webapp2?
App Engine Users API support Google Account or OpenID identifier.
If you need something different you have to implement users management yourself (or using a third party library like webapp2.extras)
Related
I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
So now Google released the multi-tenant feature for gae.
Assuming i am going to implement a google app engine application and put it on google apps market place.
suppose www.doma.com and www.domb.com bought the application.
can usera from doma and userb from domb authenticate to this application with their google apps domain username (in other words) can usera#doma and userb#domb use authenticate with gae?
Thanks in advance
Google does not limit users when they go through OpenID or Google Accounts authentication procedure, your code should do this. After user is authenticated control is handed back to your code - at this point you should check users data and decide to pass the request through or not.
Also, if you want to use doma.com and domb.com as your domain names on GAE you need to own this domains and create separate Google Apps account for each of them. This means that random user cannot have user#doma.com email address (unless you manually created an account for them on Google Apps).
I've set up an AppEngine account using Google Apps Authentication and I've resigned myself to the fact that it can't be changed. But can you switch the domain that it's bound to?
UPDATE
Forgot one point. We've already added users from the new domain as AppEngine administrators and we're able to log into the AppEngine console with them. But there are certain URLs in the app itself (e.g. cron jobs/task queues) that we've restricted to access by admins only. When we try to access them, we are directed to the domain-specific AppEngine page (i.e. http://appengine.google.com/a/myolddomain.com) to log in. When I update the URL to the new domain, I can log in but then I get a page saying "The page is requesting permission to access your Google account. Select an account you would like to use." And there are no options in the list to select. I can click Continue but then I'm redirected back to the login page for the old domain again.
No. If you created an app with Google Apps authentication, it is tied to that domain to authenticate against forever. This only matters if you're using the Users API, of course.
Yes you can switch to another domain. App Engine is a service in your apps domain. Because it is a service, I think you can add the same appspot service to multiple apps domains.
I would like to ask how to use the Google Apps Account instead of a Google Account if I use the
users.create_login_url()
function to generate the login page.
Google automatically ask me to login with a Google Account.
If I am running my application with a Google Apps for a specific domain, I have created users within that domain, is there any way that I can let my users to login using the created domain?
for example: hoang#abc.com
and abc.com is the domain managed by Google Apps.
I am an administrator for abc.com, and I have created multiple users within this domain.
Please advice!
Thank you!
You have to specify at the time you create the app whether you want to use Google Accounts for authentication, or Google Apps. If you selected Google Accounts for your app, you'll need to create a new app with the authentication setting set correctly in order to use it.