How can I use a mix of Appengine's OpenID and facebook OAuth for authentication on AppEngine?

6
votes

Appengine supports federated login in which arbitrary OpenID providers can be added to the list of parties who can authenticate a user. However, some organizations - notably facebook - don't support OpenID. How is it possible to combine the OpenID support provided with GAE with mechanisms that can support OAuth or other login mechanisms?

More details (GAE Python assumed)...

My understanding of the way the OpenID mechanism is intended to work is as follows:

  • I choose Federated Login from my app's configuration options
  • This allows me to easily add OpenID providers through the create_login_url mechanism
  • There is some Google session management used to track the authenticated user
  • I control access to resources using login: required in my app.yaml
    • The session management will check if the user is authenticated before allowing access to these resources

The issue that I have is that I can't see how this approach fits with facebook's OAuth - if the resources are access controlled by Google (per app.yaml), where is it possible to insert facebook authentication?

Notes:

  • I know that OpenID and OAuth are different - I am only interested in using facebook for authentication right now
  • I'm sure there are quite a few different ways to deal with this - I'm just wondering if there is some standard approach/best practice
2
pythonfacebookgoogle-app-engineopenid

2 Answers

4
votes

I've done a little bit of digging on this and my conclusion is that it is not possible to integrate the standard Appengine authentication mechanisms (ie those provided 'for free' with Appengine) with facebook's OAuth. More specifically, the app.yaml login controls can only relate to Google's standard mechanisms and there is no way to extend them to incorporate facebook OAuth. The reason for this is that Google's standard mechanisms control the sessions and there is no mechanism to add new session controls which are recognized by the app.yaml login controls.

It is, of course, possible to integrate Google Accounts and other login mechanisms with facebook's OAuth on Appengine, but to do this you need to replicate some of the functionality that Google provide in their standard authentication mechanisms (session mgmt specifically).

I've put up a more general question comparing the different social authentication options possible with Appengine as I think it's interesting/useful, but slightly out of scope in this question: it's here

2
votes

You could have a look at the Tipfy framework which has a Facebook authentication extension that would allow your users to use their Facebook login to authenticate.