Can oauth.get_current_user() be used with OAuth2?

Question

I'm having a hard time finding a definitive answer about the use of OAuth2 within my GAE app. First, this is not an endpoints app, just a plain old python app.

I can get the oauth.get_current_user() method to return the authenticated user when expected if using the OAuth endpoints within my app (appid.appspot.com/_ah/OAuth*), but this is using OAuth1, which is deprecated -- Google's dev docs make that very clear.

So I tried using Google's OAuth2 endpoints to auth my app and I've gotten the access token, but the oauth.get_current_user() call within my GAE app always throws an exception (invalid OAuth sig) and never presents the User object when expected. I've tried authorizing my app with various scopes (https://www.googleapis.com/auth/userinfo.email & https://www.googleapis.com/auth/appengine.admin), but it doesn't matter as when I sign the request with the OAuth2 token, my GAE app never accepts the request as valid and oauth.get_current_user() always throws an exception.

So my question is, should I be able to use the oauth.get_current_user() call from within my GAE app when signing requests with an OAuth2 token? If so, which scope(s) must I authorize for access to the GAE app?

Answer 1

tl;dr;

try this inside appengine code:

from google.appengine.api import oauth
oauth.get_current_user(SCOPE)

---

I've been to the same path for the past week, wandering among vague google documents.

My final understanding is that AppEngine never officially made it to the OAuth2 land. You see these 'OAuth1 being deprecated' messages all over google API documents, but it's actually quiet in appengine documents. It talks about OAuth, but does not talk about which version.

This is the landscape of what I think the current status is (as of 2013-12-07):

• [1] Authorizing into appengine with OAuth: the *.appspot.com/_ah/ approach. Doesn't say which version. Likely 1.0 only.
• [2] Google API Authorization: all the OAuth2 fuss, but it's about requesting other Google APIs, not much about appengine.
• [3] Google accounts authentication with OAuth 2.0: logging in with general google account. Unfortunately appengine is not included in the scope.

There is another document that talks about OAuth 2.0 on appengine, but it's about calling Google APIs from appengine server, not logging into it.

I tried accessing appengine server with the OAuth2 approach in [3], but oauth.get_current_user() method raised an exception. Also tried various scopes, hoping one would fit for appengine, only to fail.

However,

What I found out from another SO answer, was an undocumented use of the method:

oauth.get_current_user('https://www.googleapis.com/auth/userinfo.email')

passing the scope as an argument. And this worked, provided the consumer had passed the access token with the scope.

And it turned out it was in the appengine code after all. It just wasn't documented.

Improvements or corrections to any misunderstandings are welcome.