Home‎ > ‎


In Oct 2009 we added features to Google App Engine (GAE) to make it easier to use OAuth from a GAE app.  These feature are only being made available at this time to get early feedback from the OAuth community.  The APIs may change over time, and we may disable it at any time without notice.

Here is a summary of the new features:
  1. If a GAE app wants to get a user's permission to access their data via a 3-legged-OAuth enabled API, such as GData or APIs from MySpace, Yahoo, Twitter, etc.  The GAE URLFetch function now has a set of flags that offload almost all the OAuth security aspects to GAE.  A similar feature was launched last year for gadgets.  For more info see the section below on OAuth Proxy support.
  2. A GAE app can also make a 2-legged-OAuth or signed-fetch called to an OAuth enabled API.  Like with #1, the GAE URLFetch function now handles all the signature aspects.  This feature has been available to OpenSocial gadgets since shortly after it was launched.  It also works with the 2-legged-OAuth version of the Enterprise GoogleApps APIs, but any Enterprise or Web2.0 developer can create their own OAuth enabled API to receive such a request and verify the source.  If the GAE app is accessing the GData APIs for a Google Apps domain, the domain administrator can use the GoogleApps admin panel to specify that the GAE app can access particular GData APIs, such as Calendar.  For more info see the section below on OAuth Proxy support.
  3. The reverse of #2 also works, i.e. a GAE app can expose a 2-legged-OAuth enabled API and can use a single GAE function call to verify the source of the requests.  #2 & #3 can be combined to enable two GAE apps to communicate with each other while using OAuth for web-service authentication.  Another option is for a Gadget to use signed-fetch to communicate with the GAE app's OAuth enabled endpoint.  For more info see the section below on OAuth 2-legged service-provider support.
  4. The reverse of #1 in the above list will also be supported, i.e. a GAE app can expose a 3-legged-OAuth enabled API.  This feature and #1 can be combined to enable two GAE apps to communicate with each other after getting the user's conent, or a Gadget could use the gadget oauth proxy to communicate with the GAE app.  For more info see the section below on OAuth 3-legged service-provider support.

GAE OAuth Proxy support:
Demo app url:
First option in the demo shows how a GAE app can log the user in, and then do a 3-legged OAuth dance with an OAuth service provider such as the Google Contacts API endpoint
Second option in the demo shows how a GAE app can mkae a 2-legged-OAuth (signed fetch) request to an API endpoint provided by another GAE app which then verifies the source of the request
Demo app source: Python version (Java version not available yet)
For help contact beaton@google.com & esachs@google.com

GAE OAuth 2-legged service-provider support:
Demo app urls: http://oauth-sp-demo.appspot.com/oauth2leggedhttp://oauth-sp-demo-java.appspot.com/oauth2legged
To test it, go to the OAuth Playground GAE app and enter one of the URLs above into box 6 and click execute.  The output of the request will be shown in the box above, and the last line should say "Signature is valid. OAuth consumer key: googlecodesamples.com"
Demo app source: Python version, Java version
The testing would be most helpful if clients use the "oauth.py" file that's part of the demo app (oauth/oauth.py) or the equivalent Java version (oauthsp/lib).  That is the code that will (tentatively) be included in users.py/UserService.java at some future date.

GAE OAuth 3-legged service-provider support:
See GAE-3LO-SP documentation

For help contact esachs@google.com