I'm using a very simple GAE instance from a Greasemonkey script. This worked fine for the last months, but now a path is appended to the final 'continue' location, which breaks the login process for me.
The basic workflow, under the assumption that the user is logged into his Google Account, but his token for the GAE instance has timed out:
- User opens page A with the GM script installed.
- The GM script runs and tries to access the GAE instance with a GM_xmlhttpRequest().
- The GAE instance returns "login_needed|<loginurl>". The GM script extracts the loginurl and sets
window.location
on it. - The user is redirected to the loginurl and eventually back to A. However, this time, actual data is returned by the GM_xmlhttpRequest().
The last step no longer works, as the user is now redirected to the loginurl plus some, which gives a 404 on the target site.
The GAE code is just about half a screen of code. The authentication relevant code is this:
if not users.get_current_user():
self.response.headers['Content-Type'] = 'text/plain'
self.response.out.write('login_needed|'+users.create_login_url(self.request.get('uri')))
The sequence of requests is as follows, all caused by redirects:
- GET https://mygaeinstance.appspot.com/?uri=https://targetsite.com/
- GET https://www.google.com/accounts/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://targetsite.com/<mpl=gm&ahname=MyGAEInstance&sig=<some sig>
- GET https://appengine.google.com/_ah/conflogin?continue=https%3A%2F%2Ftargetsite.com%2F&pli=1&auth=<some base64 auth token>
- GET https://targetsite.com/_ah/conflogin?state=<some base64 state>
targetsite.com doesn't like that path and as you can see, it wasn't in the initial 'continue' argument passed to appengine.google.com, which was just "https://targetsite.com/". What did I do wrong and how can I fix this?
This redirect is caused by an expired auth token. To make it work again, you need to invalidate the token on the client, as described here: What is the proper URL to get an Auth Cookie from a GAE based Application
A recent change to our login flow for App Engine has created an issue whereby a login with a continue URL that's outside the app's own domain will result in an erroneous redirect such as the one you're observing.
We're working on fixing this. In the meantime, a workaround is to set up a redirect handler on your own app. Make that the target of the continue parameter, and have it send a final redirect to your actual target.