0

I'm sending SOS message in a bottle here but who knows...

So I'd like to use an AppEngine application as the backend for a mobile app (available on ios and android, but no browser-based app so far).

I'd like to support anonymous users as well as users signed in with different provider (Google, Facebook and the traditional username/password).

So Google Identity Toolkit seems like the way to go... I managed to get the identity toolkit demo running on ios (shame on you Google for not providing a Swift Framework...), yet I still don't get how it fit in an AppEngine application:

  • on the appengine side how do I check whether a request come from a signed-in user or from an anonymous one ?

  • The AppEngine OAuth service documentation mentions the OAuth2 'Authentication: Bearer' token but the Google Identity Toolkit return an 'Google Identity ID token' if I'm correct. Plus, which API provides the OAuthService thing mentioned in the doc ? Any maven repository info is welcome...

  • if Google Identity Toolkit is not the way to go, meaning I have to build a custom solution, should I use the authorization code flow with the oauth client being my mobile app ? Should I build a custom session implementation ?

Thanks a lot for any help

Brieuc

applequist
  • 304
  • 3
  • 9
  • Identity toolkit and oauth2 are two diferent ways. dont mix them. – Zig Mandel Nov 09 '15 at 21:44
  • I think I make the distinction. All I want is to identify requests coming from users authenticated through various providers (using any incarnation of oauth) as well as being able to pull profile info for those users. Google Identity toolkit seems the solution for that but the irony is I have no clue how to do it with an app engine backend... – applequist Nov 09 '15 at 21:52
  • using identity toolkit is the same regardless of what you use on the backend, appengine or not. follow the examples and post a specific issue with them. – Zig Mandel Nov 09 '15 at 22:01
  • Ok maybe I stated my question wrong. AppEngine has a service to identity users that only works with Google accounts or accounts from a Google app domain (see https://cloud.google.com/appengine/docs/java/users/). What I would like is to implement the same thing but for users logged in using either their Google account or a Facebook account. I though Google Identity Toolkit would be a good starting point but I miss the link with AppEngine... – applequist Nov 09 '15 at 22:06
  • the user service is something else. – Zig Mandel Nov 09 '15 at 22:08
  • Ok. I'd like a user service that doesn't suck and works with accounts authenticated through other providers... Google has an Identity platform and a PaaS (AppEngine), how come you cannot use one with the other (out of the box) ? – applequist Nov 09 '15 at 22:12
  • they are different and for different cases: https://developers.google.com/identity/choose-auth itentity tooklit is the most flexible and if you follow the samples, they will work on appengine too (not using users service which is old) – Zig Mandel Nov 09 '15 at 22:24
  • I followed the identity toolkit for iOS getting started example. I can sign in with Google and Facebook from an iOS app and get a token back to the iOS client. Now whenever I received a request on AppEngine I'd like to know the identity of the user who made the request. Should the the client transmit the aforementioned token to the server and should the server decoded it to get the user ID ? It might look trivial to you but it looks like a lot of work to me... And I don't really know where to start... – applequist Nov 09 '15 at 22:38
  • see https://developers.google.com/identity/toolkit/web/federated-login – Zig Mandel Nov 09 '15 at 22:46

1 Answers1

0

Here is the python version of what I think you're wanting

  • Client received the auth_token from provider
  • Client sends it to your app-engine backend
  • App engine uses token to get user profile from provider
  • Creates user account
  • Generates private bearer token & returns it to client
  • Client ads this token to http auth header for all api requests
  • Backend uses this private token to identify & load user.

If I have any of this wrong, please clarify here because I'm trying to understand this as well.

Dewey
  • 756
  • 6
  • 17