Is there a framework to assist in the authentication process when using Google Appengine?

Question

Is there a framework to assist in the authentication process when using Google Appengine?

Asked 8 years ago

Viewed 318 times

1

I don’t want to use the app session. Would Spring Security be the only option? In this case it would be a SPA app.

See about Google’s Firebase. It’s a very interesting Baas: Authenticating Users on App Engine Using Firebase Integrate with Google Cloud Platform

– Andre Avilla

2017/11/17 at 17:30

1 answer

Browser other questions tagged java framework spring-security google-app-engine single-page-application

You are not signed in. Login or sign up in order to post.

by Falion • **1,953** points · Answer 1 · 2016-06-20T14:41:38+00:00

I wouldn’t advise using Spring Security,in itself it is very good. It is widely used and all problems are solved with high priority. However, as with most technologies, if you misuse it, your application will not be safe.

Yes, it is possible to use other authentication processes when talking about authentication through Google App Engine.

Several ways

According to Google’s own documentation, there are several media,some of them are :

Google Identity Toolkit

Provides various user authentication options, including Google, Facebook, Yahoo, Microsoft, Paypal, and AOL. It also supports the largest number of users while maintaining the smallest amount of code.

Google Sign-In

Google login that offers Gmail and Google Apps to sign in together with support for single-use passwords (OTP). It is the easiest method to support Google-only accounts,or support Google accounts in an existing login system.

Oauth 2.0 and Openid Connect

Openid Connect allows you to manipulate and use authentication tokens with more customization.

Users API

Uses the built-in API App Engine service to authenticate Google accounts and Google Apps.

Code examples

A Google documentation code, which exemplifies security and authentication through Google App Engine :

 <security-constraint>
        <web-resource-collection>
            <web-resource-name>profile</web-resource-name>
            <url-pattern>/profile/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>admin</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

NOTE: Google Apps domain administrators and Google App Engine domain administrators are not included in the administrator role in this context. Only application developers, such as those in the Paper Viewer / owner / developer, can access these parts of the application.

Security restrictions apply to static files as well as Servlets.

To learn more, take a look at their documentation here.

Users API :

Adding a new context :

c := appengine.NewContext(r)

Getting the current user :

if u := user.Current(c); u != nil {
        g.Author = u.String()
}

key := datastore.NewIncompleteKey(c, "Greeting", guestbookKey(c))
_, err := datastore.Put(c, key, &g)
if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
}
http.Redirect(w, r, "/", http.StatusFound)

Note that if the user is not logged in, a 302 HTTP status code redirects the browser to the Google login screen account.

Oauth 2.0 and Openid Connect :

 // Create a state token to prevent request forgery.
  // Store it in the session for later validation.
  $state = sha1(openssl_random_pseudo_bytes(1024));
  $app['session']->set('state', $state);
  // Set the client ID, token state, and application name in the HTML while
  // serving it.
  return $app['twig']->render('index.html', array(
      'CLIENT_ID' => CLIENT_ID,
      'STATE' => $state,
      'APPLICATION_NAME' => APPLICATION_NAME
  ));

In the above code I am creating a single token session. And the code below sends a request to Google.

https://accounts.google.com/o/oauth2/v2/auth?
 client_id=424911365001.apps.googleusercontent.com&
 response_type=code&
 scope=openid%20email&
 redirect_uri=https://oauth2-login-demo.example.com/code&
 state=security_token%3D138r5719ru3e1%26url%3Dhttps://oauth2-login-demo.example.com/myHome&
 [email protected]&
 openid.realm=example.com&
 hd=example.com

A request for request ends up looking that way in your final code :

POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded

code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.example.com/code&
grant_type=authorization_code

Research and learn more about these technologies

Both technologies that were cited above work to make authentication through the Google App Engine.What I can suggest to you is to research more about such frameworks to better understand what each one can offer you. So I’m going to leave some official Google articles for you to take another look at each one.

https://cloud.google.com/appengine/docs/go/gettingstarted/authenticating-users

https://cloud.google.com/appengine/docs/java/config/webxml

https://cloud.google.com/appengine/docs/python/oauth/

https://cloud.google.com/appengine/docs/java/users/

https://github.com/GoogleCloudPlatform/java-docs-samples/blob/master/appengine/users/src/main/java/com/example/appengine/users/UsersServlet.java