Securing RESTful API in Google App Engine

Question

I'm trying to figure out how to implement the following authentication flow:

1. The user accesses a web application (most likely to be written using Ruby on Rails) and authenticates (e.g., username/password).
2. The client consumes data via AJAX provided by a RESTful API built on Google App Engine (Python, webapp2).

Requirements:

1. Only users authenticated in the web application (Rails) should be able to access the API hosted on App Engine.
2. Users can have different roles in the web application (Rails), and the API (App Engine) needs to know what roles are associated to the given user to restrict access to certain data.
3. The client should be able to call the API (App Engine) directly via AJAX, without routing all requests through the web application (Rails).

I'm looking for suggestions on how to implement such workflow. Should I use OAuth (or OAuth2) for accessing the API? Should the OAuth provider live on App Engine and the web application (Rails) ask the API for a token on behalf of the user? If so, what is the best way to allow only the web application (Rails) to request OAuth tokens? Or should I consider a completely different strategy?

Any suggestions are greatly appreciated. I'm also looking for suggestions of libraries to implement OAuth in the context above.

Answer 1

I suggest you use caution if you are considering implementing an API built on the Google App Engine using OAuth for your security layer. I am currently involved in a project that is struggling to solve exactly this problem. The OAuth layer over the GAE is still new and considered by Google to be "experimental". Google's documentation is minimal at this point. What there is begins here. I wish you the best if you try to proceed, and I will do my best to offer help if you do.