Authenticating against App Engine from Android app with Federated Login (OpenID)

Question

I\'ve followed Nick Johnson\'s tutorial on Authenticating against App Engine from Android

Is there anyway to get the same workflow (no web signin) with Federated Login (

Answer 1

I have been researching this topic for several weeks now and I finally saw light at the end of the tunnel. I'm hoping you can at least get a few pointers from my research. First, I just realized (http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing) that OpenID and OAuth are not the same thing, although they could be used in conjunction. My Google App Engine app is configured with Google Accounts API, and I currently only have an Android client. I'm a religious follower of Nick Johnson's super famous blog that you mentioned above. So, I used the AccountManager instance in the Android client to seamless authenticate with my App Engine app, without asking the user for credentials, and without redirecting to a browser/webview, etc.

Just like you want to open up a public API to your GAE app, I also want to expand my client base to have other clients like web-based clients, python APIs, iOS clients, etc, and neither of those have this handy AccountManager. So, OAuth is the obvious choice. Here's an article from Ikai Lan of Google App Engine team demonstrating the use of a python client using OAuth to authenticate against a GAE app: http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/

Funny thing is, I thought that use of Oauth at the client required configuring the GAE app with OpenID/Federated login. But this is not the case. So the solution for me, and likely for you too, is simple - on the Android client, use AccountManager per Nick's blog. And on other clients, use Oauth, and redirect the user to Google Accounts page to enable authentication (see Ikai Lan's article that I talked about in the previous paragraph).

Bottom line for you though is, you can avoid the web-based sign-in on an Android client, but not anywhere else. You have to authenticate a user at least once, somehow. Hopefully browser based sign-in happens only the first time, and the browser caches future requests.

Good Luck!