Sunday, November 7, 2010

Using the provided OpenID functionality on Google App Engine

I've just released a small, simple application to he3-appengine-lib demonstrate using the provided OpenID support Google added to App Engine in version X. I wrote the application from scratch to learn how a real application would behave, as I wasn't quite following the documentation.

When you set the authentication option for your application to OpenID to behaves very similiar to using the standard Google authentication. When you use Google authentication you redirect your users to the URL created by create_login_url() to login and create_logout_url() to log out. Before and after you can use the rest of the google.appengine.api.users API to find out the current logged in user, their nickname and email address.

Using OpenID works the same way with a only a few caveats:

  • When calling create_login_url(), you need to pass the required OpenID service provider or actual OpenID URL. This is because the the service provider provides the login screen (if required - the user might already be signed in).
  • Some service providers might not supply an email address, which may be problematic depending on your requirements. Even if you don't need to email the user, the email address is a dependable identifier, whereas nickname is not. For example, MyOpenID.com does not supply an email address by default, although this can configured  at the time of the login. In my demonstration application, I detect when an email address has not be provided,. and reject the login.
  • If you use directives in the app.yaml file to mandate that login or admins are required for particular pages, you must implement a handler for /_ah/login and /_ah/login_required. Standard approach would direct the user to your dedicated login page (but I took the easy way out in my application and redirected to the home page)
Overall the transition from Google authentication to OpenID is not challenging from a  technical standpoint. As Google themselves discuss, some of the challenges arrive from simple usability choices in how you communicate to your users what their options are.

You can find my demonstration application on he3-appengine-lib, and you can find a working copy at he3-openidtest.appspot.com, although I can't guarantee I will keep it around forever. 

I am yet to use the OpenID support in a production application, and I am sure I will learn more when I do. I'll record anything else of use that I find out here.

No comments:

Post a Comment