Easy way to authenticate POST requests from a Google Android client to Google App Engine?

Question

I'd like to be able to send a POST request from an Android app to App Engine and have it linked to the user's Google account. I read that you need to obtain an authentication token and send it with the POST request. Does Android provide a way to request this token? And how would GAE process it?

I feel like this should be easy and I'm missing something obvious.

Thanks!

Answer 1

See my blog post on how to authenticate with an App Engine app using credentials stored in the phone.

It is possible to authenticate users programmatically. In the Python SDK, the appengine_rpc module performs this function. In a nutshell, the procedure is this:

1. Use ClientLogin to get a one-use authentication token given the user's username and password.
2. Make a POST request to yourapp.appspot.com/_ah/login, with the arguments continue=http://localhost/&auth=authtoken (where authtoken is the one-use token you got from step 1).
3. Intercept the 302 response returned and capture the returned Google cookie.
4. Supply the cookie on all subsequent requests.

For excruciating detail, see the source of appengine_rpc.py, linked above.

Answer 2

As of Android 2.0, you can use AccountManager to request an auth token for accounts of type com.google. You can then authenticate the user to an App Engine app by hitting the url:

http://[yourapp].appspot.com/_ah/login?auth=[theauthtoken]

The cookies set in the response can be piggybacked onto future requests to your app to authenticate the user against your app.

In the absence of sample code that does exactly this, you can check out the Sample Sync Adapter code (bundled with the SDK) for a general idea about requesting auth tokens.

---

EDIT: Just realized Nick wrote about the second part, but the AccountManager#getAuthToken bit is new as of Android 2.0.