Authenticating against App Engine from Android app with Federated Login (OpenID)

Question

I've followed Nick Johnson's tutorial on Authenticating against App Engine from Android

Is there anyway to get the same workflow (no web signin) with Federated Login (even if support is limited to Google Accounts)?

[Edit] Additional Info

The current setup includes:

• App Engine's UserService configured for federated login (openId..gmail, aol, myspace?,...)
• Facebook (OAuth)
• Twitter (OAuth)

All the authentication types are wrapped in a UserService, so I can call UserService.getCurrentUser() (Similar to Appengine's UserService, but supports twitter, and facebook).

Accounts can have multiple authentication methods linked together.

So far the clients are all web based, and things are working nicely. :D

I'd like to:

1. Add a public Api (for web and native mobile apps),
2. use the Api internally for native mobile apps.

What are the options?

I was thinking of limiting authentication to Google Accounts for the Android App, in hopes of avoiding the web based sign in screen. Even so it would be nice to support facebook and twitter for the web Api.

Answer 1

No, OpenID is a browser-based auth standard - it relies on user being directed to external auth page and then back to app page.

You can do this via WebView inside a Dialog for a smooth user experience. See the LeanEngine open-source project for an example implementation: server and client. Server is a bit complicated as it supports both Facebook and OpenID login. OpenID only login would be simpler. You basically only need the client example.

However, if you do not need OpenID and are willing to limit your users to Google Account, then you can use Google ClientLogin API. An example usage.

Answer 2

I have been researching this topic for several weeks now and I finally saw light at the end of the tunnel. I'm hoping you can at least get a few pointers from my research. First, I just realized (http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing) that OpenID and OAuth are not the same thing, although they could be used in conjunction. My Google App Engine app is configured with Google Accounts API, and I currently only have an Android client. I'm a religious follower of Nick Johnson's super famous blog that you mentioned above. So, I used the AccountManager instance in the Android client to seamless authenticate with my App Engine app, without asking the user for credentials, and without redirecting to a browser/webview, etc.

Just like you want to open up a public API to your GAE app, I also want to expand my client base to have other clients like web-based clients, python APIs, iOS clients, etc, and neither of those have this handy AccountManager. So, OAuth is the obvious choice. Here's an article from Ikai Lan of Google App Engine team demonstrating the use of a python client using OAuth to authenticate against a GAE app: http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/

Funny thing is, I thought that use of Oauth at the client required configuring the GAE app with OpenID/Federated login. But this is not the case. So the solution for me, and likely for you too, is simple - on the Android client, use AccountManager per Nick's blog. And on other clients, use Oauth, and redirect the user to Google Accounts page to enable authentication (see Ikai Lan's article that I talked about in the previous paragraph).

Bottom line for you though is, you can avoid the web-based sign-in on an Android client, but not anywhere else. You have to authenticate a user at least once, somehow. Hopefully browser based sign-in happens only the first time, and the browser caches future requests.

Good Luck!