We are starting to move our self-hosted internal services to the cloud. We've migrated some services to Google apps, but we have several application we developed ourselves that we would like to move to Heroku.
When we hosted them ourselves, authentication wasn't a problem, since being on network (physically or through VPN) was proof enough. Now that we're moving them to the big bad internet, we need some sort of login. Since all of us have google accounts, it makes sense to use them for that.
We've played with the Google OpenID option, however, this doesn't give you any information beyond the name and e-mail address, which we would then have to look up in the provisioning API, to check if that e-mail address belongs to a user we know of. That seems the wrong way to do it. Also, I'm not 100% sure that you cannot add any email address to any Google account.
I've read everything about the Google Auth APIs, but that seems to be about giving access to Google services, not our own.
So, is there a way to do Authorization (not just SSO/Authentication) with our Google Apps accounts?
