David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 223 other followers

  • Sleepless Nights…

    August 2011
    S M T W T F S
  • Blog Stats

    • 1,029,897 hits

Archive for August 25th, 2011

Using the GAE App Identity API and OAuth2

Posted by David Chandler on August 25, 2011

One of the challenges of cloud computing is interoperability: how can an application hosted on one cloud service authenticate and communicate with another cloud app or service? Within the enterprise, IT departments often utilize a central identity store like PingFederate from Ping Identity. How to manage identities in the cloud, however?

Google App Engine recently unveiled one solution: the Application Identity API, which provides your app with public key infrastructure managed by Google. Each App Engine app has a unique identity in the form of an email address and public/private key pairs which are rotated every few hours. The API lets your app discover its own identity, obtain the current public keys, and sign an object using the private key. The beauty of the API is that you the developer don’t have to manage the keys at all. Google handles all the PKI, crypto, rotation, and security.

Recently, at the Cloud Identity Summit sponsored by Ping Identity, I presented an example of using the Application Identity API to connect from App Engine to Google Storage as part of a 3-hr workshop on Integrating with the Google Cloud (see slides 149-153). I’ve now published a sample project showing how a GAE app can authenticate to the Google Storage API using OAuth2 and the App Identity API.

How to call Google Storage API from App Engine Java

Let’s say you’ve created a Google Storage account (free within limits) and want to access it from your Java code in App Engine. First, you need to set up your Google Storage account appropriately:

  1. Add your GAE app’s unique ID (aka “robot” email address) to Team in Google APIs Console.
    • to find it, call ApplicationIdentityService.getServiceAccountName() in your GAE app
    • assign write or owner access
    • use in bucket ACLs also
  2. Note your Google Storage project ID (click Google Storage in the left nav of the Google APIs Console)

Now in your Java code, you’ll

  1. Obtain your app’s unique ID with ApplicationIdentityService.getServiceAccountName()
  2. Create a JWT token with issuer ID = your app’s unique ID
  3. Sign it with ApplicationIdentityService.signForApp()
  4. Exchange it for an OAuth token by calling Google’s OAuth endpoint (which, in turn, calls App Engine infrastructure to verify your app’s identity).
  5. Include the OAuth token with each request to Google Storage API

Two different sample projects illustrate how to do this. You might want to start with GoogleStorageImpl.java showing all the low-level calls to create a JWT token and exchange it for an authentication credential.

Once you understand how it works, you can extend AbstractTwoLeggedFlowServlet to handle the token exchange for you. This is the approach I’ve taken in the App Identity Sample with OAuth2 and Google Storage. As an aside, the Maven POM in this project is a good starting point if you’re looking to call Google APIs from Java. There are lots of jars associated with Google APIs Client Library for Java available in Maven Central, and it can be confusing to figure out which ones are really needed.

Note: the sample projects above will only work if you actually deploy the code to App Engine. Google’s OAuth2 endpoint only works with production infrastructure (not your local dev server).

This article is about application identity, but if you’re also interested in user identity, be sure to check out the Google Identity Toolkit, which makes it easy for you to support login to your app from other identity providers (Yahoo, Hotmail, AOL).


Posted in AppEngine | 11 Comments »

%d bloggers like this: