I migrated away from Google App Engine several months ago. But I am still relying on it for authentication, because my users are identified by their user_id attribute on GAE.
For this purpose my (now external) applications redirect the user to a Google App Engine application using a encrypted, signed and timestamped login request. The GAE application then performs the login using GAE's "Users" service. After successfully being logged-in on GAE, the user is again redirected using a encrypted, signed and timestamped response to my external application.
The rudimentary implementation can be found here and here. As you can see, this is very basic and relies on heavy crypto that leads to bad performance.
My external applications, in this case Django applications, are storing the user_id inside the password field of the user table. Besides the user_id, I only get the email address from GAE to store username and email in Django.
Now I would like to remove the dependency on the GAE service. The first approach which comes to mind would probably be to send an email to each user requesting him to set a new password and then perform my own authentication using Django.
I would prefer a solution which relies on Google's OpenID service so that there is actually no difference for the user. This is also preferred, because I need to send the user to Google anyway to get AuthSub tokens for the Google Calendar API.
The problem is that I couldn't find a way to get the GAE user_id attribute of a given Google Account without using GAE. OpenID and all the other authentication protocols use different identifiers.
So now the question is: Does Google provide any API I could use for this purpose which I haven't seen yet? Are there any other possible solutions or ideas on how to migrate the user accounts?
Thanks in advance!
The best way to do this is to show users a 'migration' interstital, which redirects them to the Google OpenID provider and prompts them to sign in there. Once they're signed in at both locations, you can match the two accounts, and let them log in over OpenID in future.
AFAIK, the only common identifier between Google Accounts and Google OpenID is the email.
Get email when user logs into Google Account via your current gae setup. Use User.email(). Save this email along with the user data.
When you have emails of all (most) users, switch to Google OpenID. When user logs in, get the email address and find this user in the database.
Why don't you try a hybrid approach:
Switch to OpenId
If your application already knows the userId, you are done
If not ask the user, if he has an account to migrate
If yes, log him in with the old mechansim and ttransfer the acount
If not create a new account
Google has a unique identifier that's returned as a parameter with a successful OpenID authentication request - *openid.claimed_id* . If you switch to using OpenID you could essentially exchange the user_id for this parameter the first time a user logs in using the new method without the user noticing anything different about their login experience.
Documentation for the authentication process is outlined here. I'd recommend using the hybrid OpenID+OAuth approach so that you can associate your request token with a given id, then, upon return, verify that the openid.claimed_id matches your original request token.
Related
One of my projects I have developed backend API using Django REST Framework and mobile app using React Native. I have done the following things:
When the users log in I store their username in local (mobile) database.
When users post data I send the username to server reading from local database along with the POST data.
I check whether the user is logged in or not using the username and then process the request.
My question is: am I doing it in the right way? If no then what are the right procedures to do this kind of authentication checking?
How are you authenticating your users? It sounds like your using sessions authentication which is fine as long as both ends are on the same doamin. Then you just use the request.user object as you normal would in a non-api setting. I would recommend using Django-rest-framework-Jwt https://github.com/GetBlimp/django-rest-framework-jwt Json Web Tokens do not require you to store a bunch of information in sessions on your server keeping things faster.
Here is a good example of implementing jwt if your interested https://www.techiediaries.com/django-rest-framework-jwt-tutorial/
Are there any libraries that provide username and password login for Google AppEngine?
While I could try rolling one from scratch, I'd rather not try to reinvent the wheel if possible.
If not, would it be possible to turn my application into an OpenId provider and then use it to log in?
Try EngineAuth. It has many different options for authentication systems, including email+password authentication.
GAE, via its Users API, supports three types of login (Google accounts, Google Apps accounts and OpenId). For an example of the latter see this article.
The type of login used is defined when creating the app, see this for further details.
I am a bit confused about OpenID OAuth stuff.
(by OAuth - i mean OAuth 2.0 here and later)
My target is to create a site with OpenID (or OAuth) auth as well as with legacy
email + password auth. The site will be on django framework. (python)
I understand difference between OAuth and OpenID and diff between authorization and authentification.
My primary goal is to implement openid login with google as identity provider.
The login and register flow must be just like on many sites.
As i see:
register scenario:
1) user enters openid url (clicks google button)
2) user gets redirected to auth provider ( google )
page says:
"Awesome site" ask for your:
email, language, country...
3) user says yes.. gets redirected back
behind the scenes "Awesome site"
retries email language and other user info
using access token
4) User fill other stuff needed in profile..
and this is it.. hes now registered.
Login scenario:
1) user enters openid url (clicks google button)
1.a) if user already logged in on auth provider
hmm... it is unclear to me.. but somehow user
get logged in without displaying a provider page (maybe it is closes fast? )
1.b) if the user not logged on provider
then provider displays login page and redirect back
to awesome site on success.
Because i have to get some user data
it is seem to me that i have to use:
OAuth or Hybrid ( OpenID + OAuth extentions )
protocol.
The things that are not clear to me:
How do i get scopes for info i need..
i searched but cant find.. found on someones blog
"https://www.googleapis.com/auth/userinfo#email" for email
but how about user language, country.. etc.. where it is documented ?
If i will use OAuth - will it be enough
to do both - the registration and login
or i will have to fetch user data wuth OAuth
and login with OpenID?
Is it ok to use OAuth 2.0 in my scenario ?
or it will be more simple to use 1.0 because i dont need
user data anymore after initial account registration ?
(i think 1.0 is more complex because it has 3 phases ..
but 2.0 is more complex because access token expires.. but
expiration wont be a problem in my scenario as i don't need user data
after registration)
There are few libs lying out there:
while reading google api docs i found:
google-api-python-client
openid-python-openid
gdata-python-client
( supposed to be api to google services dont know if it has oauth in it
hm.. according to this http://code.google.com/intl/ru/apis/gdata/docs/auth/oauth.html
it have oauth in it
)
python-oauth-client (http://code.google.com/p/python-oauth-client/)
i though thats a lot but then found:
http://your-move.appspot.com ( source files: https://github.com/sje397/Chess )
which seems to be using google.app.engine lib
from google.appengine.api import users
So which one to choose ?
So far i came that the simplest implementation would be:
Like this:
http://code.google.com/p/google-api-python-client/source/browse/samples/oauth2/django_sample/buzz/views.py
But lines 38-44: in my case would fetch user email language and other stuff (and also i will use other scope .. line 29 )
for a new registered user.. or if it is registered user just ignore credential and delete it. ( continue with the site session )
Am i wrong ?
I saw so many implementation on libs mentioned above that i doubt that i am right.
And also another question:
my fallback legacy auth will use email as login..
If an identity provider is email provider ( google )..
When user tries to log in i can fetch email from provider.. and search
email fetched from provider in database.. so i can find user.
What if identity provider not an email provider:
like facebook ? How i will search user in database ?
In my opinion, OpenID and OAuth 2.0 are two different concepts.
OpenID as its name explained mainly focused in manage Identity. So it is more like a framework or protocol to manage User Identity.
OAuth 2.0 was designed to provide a protocol which can make internet based applications manage authorization with some third party Authorization Providers. I do suggest you go through the IEFT OAuth 2.0 Spec before get your hand dirty. You can as well find some good information in this article A simplified explanation of OAuth2.0
Seems you wish your own website can handle user authorization by itself, that means in OAuth 2.0 area your own website is an AuthorizationServer.
To you question:
The scope are provided by the Authorization Provider, please refer to their documentation.
OAuth only provide the framework for authorizing your Web APP to access the Resource Owner's protected information. For the google example, the end user who authorize your app to access his/her protected information are still a google user unless your Web APP automatically create a user account for him/her in your own user account database - I think this step is what you mean Registration. OAuth doesn't cover anything about registration because it is out of the scope of authorization.
In you scenario you still have your own account database and wish users can authenticate themselves with username and password. OAuth 2.0 really can handle this scenario if you implement your own AuthorizationServer and use the “Resource Owner Password Credentials” auth flow.
I am not python guy, but I can tell you before you evaluate these libs you must understand different roles defined in OAuth 2.0 spec. Some of the libs play Authorization Server role, some play Resource Server role.
Why not just use the library, that does all the hard work of integrating with the open-id providers.
You can use SocialAuth, or any one of the other auth packages with similar functionality.
I would recommend not using Google or Facebook (or even worst Twitter) for testing OAuth/OpenID login as their setup is confusing, the scope is not clearly documented and requires SSL even on local to test. Instead I would suggest Github as it's more developer-friendly. SimpleLogin is also a good option (Disclaimer: I'm SimpleLogin founder) as it whitelists by default localhost to facilitate local development. Its doc is on https://docs.simplelogin.io.
If you want to learn more about OAuth/OpenID I think it's better to implement the redirection and callback yourself. Later it's better to use library to handle this though as they follow more closely the protocol. A very good article on this topic for Django is https://scotch.io/tutorials/django-authentication-with-facebook-instagram-and-linkedin.
I want to create an application that allows a user to register and login to a django application with an external provider. In addition, I then want the user to be able to associate additional accounts with that initial account. Finally, I would like the user to be able to login to the application with one of the other associated accounts.
So if a user initially signs in with Facebook Connect, I want them to be able to link their Google account. Then, if they log out, they can log in with their Google account (via openid) and it logs the user in as though they logged in via Facebook Connect.
Does anything like this exist already? Or do I need to write it myself?
The perfect solution for you seems to be Django-SocialAuth. See here. From the page:
Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system. (#login_required, User and other infrastructure work as expected.) Demo and Code
Edit: I'm pretty sure that SO uses django-SocialAuth for it's login system, looking at the project's demo page.
How does one handle logging in and out/creating users, without using Google Users? I'd like a few more options then just email and password. Is it just a case of making a user model with the fields I need? Is that secure enough?
Alternatively, is there a way to get the user to log in using the Google ID, but without being redirected to the actual Google page?
I recommend using OpenID, see here for more -- just like Stack Overflow does!-)
If you roll your own user model, you're going to need to do your own session handling as well; the App Engine Users API creates login sessions for you behind the scenes.
Also, while this should be obvious, you shouldn't store the user's password in plaintext; store an SHA-1 hash and compare it to a hash of the user's submitted password when they login.