Use Oauth 2.0 in google app engine with java

Question

I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.

Answer 1

My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.

In simple terms, the steps are :-

1. Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.

2. Google will walk the user through login, and (if the first time through) authorisation dialogues

3. Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
4. Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
5. Store the user ID in your session so you can identify the user subsequently
6. Persist the refresh token alongside the google user id in a database

On subsequent visits...

1. If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
2. If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).

Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.

You then need to deal with the possible error situations, eg

• user declines permission
• user withdraws permission
• google expired the refresh token (happens a lot) so you need to re-auth
• timeouts

The two pages you need to read are :- https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/

Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...

all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.

It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.

Answer 2

I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.

I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.

Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.