GAE-3LO-SP

OAuth service provider on AppEngine

For a good introduction to OAuth, check out http://code.google.com/apis/gdata/articles/oauth.html to see how it can be used to access GData feeds. The concepts used here are very similar.

The three OAuth endpoints needed to obtain an access token are automatically exposed on your app. For example, if your app is located at http://myapp.appspot.com, the three endpoints are:

Obtain an request token:

Authorize the request token:

Upgrade to an access token:

http://myapp.appspot.com/_ah/OAuthGetRequestToken

http://myapp.appspot.com/_ah/OAuthAuthorizeToken

http://myapp.appspot.com/_ah/OAuthGetAccessToken

Consumers wishing to acquire a token to access your app will need to use these three endpoints to complete the "OAuth dance". A token acquired with these endpoints will be valid for your app but not for any other AppEngine app.

To accept OAuth tokens on one of your handlers or servlets, check out the samples below.

Python

There's one file to include in your project:

http://code.google.com/p/gaeoauthdemo/source/browse/trunk/py/oauth.py

Once you import that file into your handler module, simply call oauth.get_user_from_oauth_request() to determine if the request was a valid OAuth request. If it was, the method returns a User object identical to the kind returned by users.get_current_user(), so it can be used to retrieve data from the datastore. If the request was invalid in some way, an exception is thrown (this is documented in the code).

Here's the code for a very simple handler demonstrating the use of this API:

http://code.google.com/p/gaeoauthdemo/source/browse/trunk/py/whoami.py

Java

There's one file to include in your project:

http://code.google.com/p/gaeoauthdemo/source/browse/trunk/java/gaeoauth/src/com/google/appengine/demos/oauth/OAuthService.java

In your servlet, simply call getUserFromOAuthRequest() to determine if the request was a valid OAuth request. If it was, the method returns a User object identical to the kind returned by the UserService in the AppEngine SDK, so it can be used to retrieve data from the datastore. If the request was invalid in some way, an exception is thrown (this is documented in the code).

Here's the code for a very simple servlet demonstrating the use of this API:

http://code.google.com/p/gaeoauthdemo/source/browse/trunk/java/gaeoauth/src/com/google/appengine/demos/oauth/WhoAmIServlet.java