Skip to content

OAuth 2.0 App Engine Authentication

Preethum edited this page Nov 22, 2015 · 3 revisions

Previewing in version 0.6 of GWT-SyncProxy (GSP) is a new authentication method for accessing secured GWT RPC Endpoints hosted on App Engine. App Engine is currently supporting OAuth 1.0, but with a few modifications and some provided templates, this wiki will show you how to use OAuth 2.0 to access your secured Servlets. GSP tries to make this easier by forcing https connections for OAuth 2.0 secured servlets and by providing an enhanced RemoteServiceSerlvet object to extend from to make user data available using this authentication mechanism.

This Wiki is a Work-In-Progress. It is subject to frequent changes and additions

Android

Android is a special case since it has many of the authentication systems built into the OS. As such, we can leverage those tools so that we never actually have to deal with the user's credentials at all. The example test app in the source code, SPAAppTest, has a specific implementation of these tools to show you how to leverage known accounts to authenticate against App Engine hosted GWT RPC Servlets. The structure of the library is done so that you can create your own authenticator systems as you choose. By default, the library provides 2 implementations of the ServiceAuthenticator to use: AndroidGAECrossClientAuthenticator and the AndroidGSIAuthenticator. These authenticator leverages the specific cross client identity systems made available for this type of use case (https://developers.google.com/accounts/docs/CrossClientAuth). The GSP Android Library leverages this tool by sending the identity information in the header of each RPC. We also provide an example sub-class for your servlet to extend from that automatically handles this header information, and makes available a User object, similar to the one GAE provides through it's UserService. See the Android Authentication wiki for details.

Servlet Enhancement

Since this solution sends the Cross Client Id Token through Https in a header, I have included a sample servlet (https://github.com/jcricket/gwt-syncproxy/blob/gae_auth/SPWebTest/src/com/gdevelop/gwt/syncrpc/server/auth/gae/CrossClientAuthRSS.java) enhancement that automatically completes the appropriate Id Token verification and makes available a User object on the server side (much like App Engine's UserService). This servlet also falls back to App Engine's UserServiceFactory system if OAuth 2.0 data is not found in the header AND appropriate cookie data for UserServiceFactory does exist. Simple extend your servlet from this object (instead of RemoteServiceServlet), the call the #getCurrentUser() method (instead of UserService#getCurrentUser()).