Configuring use of AppIdentityService on development server

Question

I have an app that currently uses the com.google.appendinge.api.appidentity.AppIdentityService to facilitate authentication & authorization for using the same app's [ie. same account] spreadsheet data via the SpreadsheetService API. Works great in production mode deployed to the GAE environment. But for obvious reasons, it doesn't work (authentication error, no surprise there) running in my development appengine environment.

My question is: is it possible & 'supported' to configure one's local development server to use the necessary key & certificate info to enable the AppIdentityService to work as intended?

I read the article https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app and I understand it to suggest that it is possible but I be mis-understanding key points & would appreciate any feedback pro & con regarding this.

In a perfect world, I'd like my testing env to mimic the production mode as closely as possible. I am also considering using the 'normal' oauth2 web app authentication in my testing env but would prefer sticking with using AppIdentityService if at all possible.

I suspect the com.google.appengine.api.appidentity.dev.LocalAppIdentityService class in the appengine-api-stubs.jar is the intended technique but has anyone else also used this to provide AppIdentityService authentication within a development server? My initial assumption is that replacing the class com.google.appengine.api.appidentity.IAppIdentityServiceFactoryProvider found in com.google.appengine.spi.FactoryProvider to use my own factory class using the above LocalAppIdentityService class. Or am I barking up the wrong tree?

Using GAE SDK 1.8.8 for Java.

Answer 1

When running under the local dev server, the GAE Java App Identity API calls the GoogleCredentials library to retrieve the default application credential.

1. The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded.
2. If you have installed the Google Cloud SDK on your machine and have run the command gcloud auth login, your identity can be used as a proxy to test code calling APIs from that machine.
3. If you are running in Google App Engine production, the built-in service account associated with the application will be used.
4. If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used.
5. If none of these conditions is true, an error will occur.

It looks like option #2 is probably easiest for you (run gcloud auth login to have your code use your Google account for authentication when run locally), but you could also do #1.