In Oct 2009 we added features to Google App Engine (GAE) to make it easier to use OAuth from a GAE app. These feature are only being made available at this time to get early feedback from the OAuth community. The APIs may change over time, and we may disable it at any time without notice.
Here is a summary of the new features: - If a GAE app wants to get a user's permission to access their data via a 3-legged-OAuth enabled API, such as GData or APIs from MySpace, Yahoo, Twitter, etc. The GAE URLFetch function now has a set of flags that offload almost all the OAuth security aspects to GAE. A similar feature was launched last year for gadgets. For more info see the section below on OAuth Proxy support.
- A GAE app can also make a 2-legged-OAuth or signed-fetch called to an OAuth enabled API. Like with #1, the GAE URLFetch function how handles all the signature aspects. This feature has been available to OpenSocial gadgets since shortly after it was launched. It also works with the 2-legged-OAuth version of the Enterprise GoogleApps APIs, but any Enterprise or Web2.0 developer can create their own OAuth enabled API to receive such a request and verify the source. If the GAE app is accessing the GData APIs for a Google Apps domain, the domain administrator can use the GoogleApps admin panel to specify that the GAE app can access particular GData APIs, such as Calendar but not Docs. For more info see the section below on OAuth Proxy support.
- The reverse of #2 also works, i.e. a GAE app can expose a 2-legged-OAuth enabled API and can use a single GAE function call to verify the source of the requests. #2 & #3 can be combined to enable two GAE apps to communicate with each other while use OAuth for web-service authentication. Another option is for a Gadget to use signed-fetch to communicate with the GAE app's OAuth enabled endpoint. For more info see the section below on OAuth service-provider support.
There are two related features under development which should be live very soon:
- The reverse of #1 in the above list will also be supported, i.e. a GAE app can expose a 3-legged-OAuth enabled API. This feature and #1 above can be combined to enable two GAE apps to communicate with each other after getting the user's conent, or a Gadget could use the gadget oauth proxy to communicate with the GAE app.
- The GoogleApps Provisioning API has a list of users in a domain, as well as their group memberships. A 2-legged-OAuth version of that API is being made available, and then a GAE app could use #2 in the list above to connect to that API to perform functions like checking the group membership of the person logged into the GAE app.
GAE OAuth Proxy support:
Demo app url: http://gaeoauth.appspot.com/
First option in the demo shows how a GAE app can log the user in, and then do a 3-legged OAuth dance with an OAuth service provider such as the Google Contacts API endpoint
Second option in the demo shows how a GAE app can mkae a 2-legged-OAuth (signed fetch) request to an API endpoint provided by another GAE app which then verifies the source of the request
Demo app source: Python version (Java version not available yet)
For help contact beaton@google.com & esachs@google.com GAE OAuth service-provider support:Demo app urls: http://oauth-sp-demo.appspot.com/oauth2legged, http://oauth-sp-demo-java.appspot.com/oauth2leggedTo test it, go to the OAuth Playground GAE app and enter one of the URLs above into box 6 and click execute. The output of the request will be shown in the box above, and the last line should say " Signature is valid. OAuth consumer key: googlecodesamples.com"Demo app source: Python version, Java version The testing would be most helpful if clients use the "oauth.py" file that's part of the demo app (oauth/oauth.py) or the equivalent Java version (oauthsp/lib). That is the code that will (tentatively) be included in users.py/UserService.java at some future date.
For help contact esachs@google.com |
|