Google App Engine: Endpoints authentication when custom auth or Open ID is used

Question

I recently got started with Google App Engine. I intend to use Flask to serve web pages and the Endpoints API, preferably with the Endpoints-Proto-Datastore for everything else.

From the beginning, non-Google Authentication mechanisms on GAE seem like they need some work. I'd appreciate any light shed on issues I've found so far:

Custom Authentication

If you can write an Open ID provider as part of the app, use something like Python-OpenID and also implement a consumer in the same workflow so it appears like regular login. This way it integrates nicely into what the GAE Users API provides. I'm guessing if this is done right, users.get_current_user() will work just fine.

If you want to skip writing your own OpenID provider and instead write an email/password auth system using Flask-Login integrating with NDB, that should be alright too. However, one puzzling bit of info in the GAE documentation says I can instantiate a user object like so:

user = users.User("[email protected]")

However, (there is no user.put() method here) a users.get_current_user() still returns None. So what would the use of constructing the user object ever be?

Endpoints Authorization

On including a user=required in the method decorator for an Endpoint-Proto-Datastore rolled API, OAuth seems to work right away - all you have to do while testing it in the APIs explorer is to turn on the OAuth 2.0 switch and pick a valid Oauth 2.0 Scope. So does that mean that if we implement a OpenID provider that integrates with the Users API correctly, it won't be sufficient to use the OAuth magic of Endpoints API?

Here too, it seems like constructing a user object will not help satisfy the authentication requirement.

How would custom authentication / another OpenID implementation work with Endpoint API authentication/authorization?

Answer 1

I wanted to not use oAuth, but a simpler form of Authentication with user/token.

So what I've done is create a custom ServletFilter that maps to /_ah/spi/* and intercepts login information from the HTTPServletRequest there, if it is an Endpoint-API-Request.

Seems to work thus far, but am not really sure if that is the way to go. But as I've found no examples for non-oAuth-Auth anywhere, that's currently my best shot.

Would love to get some best practice hints from @bossylobster or @Dan Holevoet.