Is it possible to achieve SSO with the built-in OpenId on App Engine? I've been trying to integrate a Marketplace app and get the user logged in when coming from Google Apps (the admin panel or universal navigation). I failed miserably, then now I found this:
"The one exception to this is applications which do hybrid OpenID/OAuth — whitelisting does not currently work with this approach." (from here)
I assume that I have to implement OpenId using a library instead of using the built-in one to achieve SSO with Google Apps in my app? Or if it is possible with built-in OpenId, is there an example anywhere that shows how to do this?
Later Google posted an article about how to do it in Python:
http://code.google.com/googleapps/marketplace/tutorial_python_gae.html
The summary is:
- You must whitelist your "OpenID realm" (the app domain) in the Marketplace manifest XML.
- The entry point used for the Google's universal navigation must contain the current Google Apps domain.
- The entry point in your app redirects the user passing the Google Apps domain as
federated_identity
.
For example:
from google.appengine.api import users
# [...]
login_url = users.create_login_url(dest_url='http://my-app.appspot.com/',
_auth_domain=None,
federated_identity=google_apps_domain_name)
self.redirect(login_url)
This worked for me in Java:
Set<String> attributesRequest = new HashSet<String>();
String loginRealm = "http://myapp.appspot.com"; //Important that it is exactly the same as in application-manifest.xml, watch out for trailing slashes.
String destinationURL = req.getRequestURI() + "?" + req.getQueryString();
String federatedIdentity = null;
String authDomain = req.getParameter("hd"); //hd is the default parameter name. Contains the google apps domain name of the user logging on. example.com for example.
String loginUrl = userService.createLoginURL(destinationURL, federatedIdentity, authDomain, attributesRequest);
Make sure to include
<Edition id="free">
<Name>Cloud App Studio</Name>
<Extension ref="navLink" />
<Extension ref="realm" />
</Edition>
in the application-manifest.xml. That is, if it's free. The important part is to include the ref to realm.
Err, I haven't got the full scoop on this feature, but I do use both JanRain Engage (which Stackoverflow uses) with GAE apps. I think openid4java could do the job as well.
you didn't specify which language you are using. if it is java there is google library for openid+oauth.
http://code.google.com/p/step2/
Did you already know this link?
UserService userService = UserServiceFactory.getUserService();
if (userService.isUserLoggedIn()) {
User user = userService.getCurrentUser();
/* ...Do something with user.getFederatedIdentity(), which is the OpenID URL. */
}