42

I previously asked a question about using app engine's remote_api with openID, and the answer worked well, both securely and insecurely. At some point soon after, however, something in app engine changed, and the solution no longer worked securely - i.e. the following

remote_api_stub.ConfigureRemoteDatastore(app_id=app_id, path='/remote_api', auth_func=auth_func, servername=host, secure=True)

stopped working (always returning 302), and I needed to remove the secure argument to get it to work.

The release of the 1.3.5 SDK promised 'Remote API commands can be sent over HTTPS or HTTP', which confused me, as I was under the impression that providing the 'secure=True' argument had been giving me this already, based on this discussion.

My suspicion is that it was the release of this feature that caused the 'secure' argument to stop working. So the first part of my question - was I actually running remote_api commands securely by using the 'secure=True' argument, prior to the release of 1.3.5?

Once the cookie hack stopped working securely, I tried out Nick Johnson's solution listed in the same question, but with this also, I could not supply 'secure=True', getting the same 302 response.

What do I need to do to run remote_api securely with openID? Does 1.3.5 include new capabilities around this, and how do I use them? Cheers,

Colin

Community
  • 1
  • 1
hawkett
  • 3,053
  • 5
  • 29
  • 39
  • Are you using my hack or Nick's less hacky hack? [ http://blog.notdot.net/2010/06/Using-remote-api-with-OpenID-authentication ] – Drew Sears Jul 12 '10 at 14:16
  • I've tried both - I get the same behaviour - setting 'secure=True' always results in a 302 - removing 'secure=True' everything works fine. I've got 'secure: optional' in app.yaml on the remote_api entry point. I was originally using your hack successfully with secure=True, then one day (around the 1.3.5 pre-release announcement) 302 started being returned. At this point I tried Nick's less hacky hack, but it too only worked without 'secure=True'. I'm pretty sure it wasn't a problem with the cookie, because the same cookie worked fine if 'secure=True' wasn't present. – hawkett Jul 12 '10 at 16:19
  • secure openid is not yet work on google app engine. http://code.google.com/p/googleappengine/issues/detail?id=3586 – iamgopal Aug 21 '10 at 07:37
  • @iamgopal This was working prior to 1.3.5 - but possible the issues are the same. Ta. – hawkett Aug 21 '10 at 09:06
  • Note that the fixing of this issue - http://code.google.com/p/googleappengine/issues/detail?id=3393 - in 1.3.8 does not help with the remote_api problem reported here – hawkett Oct 06 '10 at 09:19
  • Unless of course I've tested it too early :) – hawkett Oct 07 '10 at 22:22

1 Answers1

1

Regards this

http://code.google.com/intl/en-US/appengine/articles/openid.html

WARNING: at the time of this writing, OpenID is not supported if your app runs in secure mode using HTTPS.

Regards this in last revision in 1.3.7 release

def ConfigureRemoteDatastore(app_id,
                             path,
                             auth_func,
                             servername=None,
                             rpc_server_factory=appengine_rpc.HttpRpcServer,
                             rtok=None,
                             secure=False):
  """Does necessary setup to allow easy remote access to an AppEngine datastore.

  Either servername must be provided or app_id must not be None.  If app_id
  is None and a servername is provided, this function will send a request
  to the server to retrieve the app_id.

  Args:
    app_id: The app_id of your app, as declared in app.yaml.
    path: The path to the remote_api handler for your app
      (for example, '/remote_api').
    auth_func: A function that takes no arguments and returns a
      (username, password) tuple. This will be called if your application
      requires authentication to access the remote_api handler (it should!)
      and you do not already have a valid auth cookie.
    servername: The hostname your app is deployed on. Defaults to
      <app_id>.appspot.com.
    rpc_server_factory: A factory to construct the rpc server for the datastore.
    rtok: The validation token to sent with app_id lookups. If None, a random
      token is used.
    secure: Use SSL when communicating with the server.

So, did you try it with new sdk?

Eugene
  • 2,226
  • 1
  • 14
  • 15
  • @eugene this is the same information as contained in the link provided by @iamgopal in the comments on Aug 21. So google deprecated this capability with 1.3.5? – hawkett Sep 07 '10 at 19:06
  • i think so, maybe we should wait for 1.3.6 roadmap to check it. – Eugene Sep 07 '10 at 19:11
  • @eugene 1.3.7 is out. I don't think this answer adds anything that wasn't already present in the question/comments. – hawkett Sep 08 '10 at 07:59
  • @eugene this documentation is the same as in previous versions, and no, it doesn't work. That is the question - why has this argument stopped working - it did work as documented, with openID until ~1.3.5 – hawkett Sep 08 '10 at 17:03