Use OAuth2 for authentication + compatibility with google.appengine.api.users service

We're trying to put our app on Google Marketplace, and one of the requirements was to use OAuth2 for authentication. Unfortunately (and strangely), AppEngine doesn't have an option for this.

Right now, we are using OpenID for authentication. I've been trying to find resources online, but have failed in finding a definitive guide on how to do this properly.

My concerns are:

<ol> <li>What scope should I use?</li> <li>How should sessions be managed? (the Users service handled this very well)</li> <li>What would the local development process be like? Would I need to have an internet connection to be able to use dev_appserver.py?</li> <li>We rely heavily on the user_id property provided by the Users service. Can I rely on it having the same value when switching to OAuth2?</li> <li>Any possible conflicts in other AppEngine services (ones that rely on Users service)?</li> <li>Would the login: required flag in app.yaml still work as expected after migrating?</li> </ol>

Also, it would be great if we could keep on using the Users service.

<strong>EDIT:</strong> Slightly off-topic, but I think the AppEngine docs for the Users service needs to be updated. It still says "supporting OpenID is a powerful way to integrate your app with Google App Marketplace", which isn't the case anymore.


You have lots of questions asked, so I'll address only the ones I know the answers to (after migrating our own app from OAuth1 to OAuth2).

Note: The thing I want to stress most about this issue, and which was the Aha Moment for me is: Accessing the APIs to which you got access from user after he installed your GAM app could be <strong>completely separated</strong> from the end user access to your app. I.E. After you got permissions from the domain admin for your app (after he installed it) you can use your App Engine service account to access all the APIs, from the server side. You use the users API only when users access your app. Thus, complete separation. With that said, here are my insights.

<ol> <li>

The scopes you're going to use depend on the services you require. I couldn't find a definite mapping from old scopes to new ones - you'll have to test stuff with https://developers.google.com/oauthplayground/ I also recommend setting up a test app, for OAuth testing only.

</li> <li>

As far as our app is concerned, sessions are managed as usual, you have the usual User object and work with it as you'd expect. The interaction with Google APIs is done via an App Engine service account. Which in simpler word means, you manage user access and permissions to your app using the users api, and Google manages access to it's APIs using the tokens generated with the service account and the admin's emails. (This issue is a post on it's own)

</li> <li>

I'm not sure what you mean by that one.

</li> <li>

The users API should work as expected.

</li> <li>

We haven't had any (surprisingly!), but I guess that depends on your implementation

</li> <li>

login: required should work as expected as it works in the same manner as the users api

</li> </ol>


  • Velocity syntax highlighting in WebStorm
  • Multiplying two matrices in Java
  • Can I determine HTML5 support in my users’ browsers with Google Analytics?
  • Updating Entity Framework EDMX Models After Database Migration
  • How can I migrate my WP8 application to universal when it uses a local linq to sql db?
  • Migration of Google Project to Firebase Console
  • Uploading entity with parent using bulkloader
  • why is cobra not reading my config file
  • Why is YAML.load returning the wrong numeric value?
  • How do I specify custom wording in a will_paginate view helper?
  • Acts as Tree with Multiple Models
  • Sticky Service not restarting after RAM full on Xiaomi / Huawei / Lava
  • how to translate xml using xslt with complex rules
  • Installing apk from within application in android
  • Validity Method for Reference Classes
  • Oracle - Second level subquery cannot see field from main query
  • You tube videos are not playing
  • Delphi: Where is the shortcut that started the application? [duplicate]
  • Request response issues in biztalk
  • cordova is not defined - cordova.js has already been loaded :: Ionic
  • Clear fused location provider's location for testing
  • Python delete lines of text line #1 till regex
  • Does Mobilefirst provide a provision to access web services directly?
  • azure media services - The request body is too large and exceeds the maximum permissible limit
  • PHP buffered output depending on server setting?
  • Functions in global context
  • Django rest serializer Breaks when data exists
  • Recording logins for password protected directories
  • Is there any way to access browser form field suggestions from JavaScript?
  • java.lang.NoClassDefFoundError: com.parse.Parse$Configuration$Builder on below Lollipop versions
  • Is possible to count alias result on mysql
  • Java applet as stand-alone Windows application?
  • Check if a string to interpolate provides expected placeholders
  • R: gsub and capture
  • jqPlot EnhancedLegendRenderer plugin does not toggle series for Pie charts
  • Comma separated Values
  • Codeigniter doesn't let me update entry, because some fields must be unique
  • Getting error when using KSoap library to consume .NET web services
  • Does armcc optimizes non-volatile variables with -O0?
  • How to load view controller without button in storyboard?