David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 224 other followers

  • Sleepless Nights…

    August 2011
    S M T W T F S
  • Blog Stats

    • 1,034,589 hits

Using the GAE App Identity API and OAuth2

Posted by David Chandler on August 25, 2011

One of the challenges of cloud computing is interoperability: how can an application hosted on one cloud service authenticate and communicate with another cloud app or service? Within the enterprise, IT departments often utilize a central identity store like PingFederate from Ping Identity. How to manage identities in the cloud, however?

Google App Engine recently unveiled one solution: the Application Identity API, which provides your app with public key infrastructure managed by Google. Each App Engine app has a unique identity in the form of an email address and public/private key pairs which are rotated every few hours. The API lets your app discover its own identity, obtain the current public keys, and sign an object using the private key. The beauty of the API is that you the developer don’t have to manage the keys at all. Google handles all the PKI, crypto, rotation, and security.

Recently, at the Cloud Identity Summit sponsored by Ping Identity, I presented an example of using the Application Identity API to connect from App Engine to Google Storage as part of a 3-hr workshop on Integrating with the Google Cloud (see slides 149-153). I’ve now published a sample project showing how a GAE app can authenticate to the Google Storage API using OAuth2 and the App Identity API.

How to call Google Storage API from App Engine Java

Let’s say you’ve created a Google Storage account (free within limits) and want to access it from your Java code in App Engine. First, you need to set up your Google Storage account appropriately:

  1. Add your GAE app’s unique ID (aka “robot” email address) to Team in Google APIs Console.
    • to find it, call ApplicationIdentityService.getServiceAccountName() in your GAE app
    • assign write or owner access
    • use in bucket ACLs also
  2. Note your Google Storage project ID (click Google Storage in the left nav of the Google APIs Console)

Now in your Java code, you’ll

  1. Obtain your app’s unique ID with ApplicationIdentityService.getServiceAccountName()
  2. Create a JWT token with issuer ID = your app’s unique ID
  3. Sign it with ApplicationIdentityService.signForApp()
  4. Exchange it for an OAuth token by calling Google’s OAuth endpoint (which, in turn, calls App Engine infrastructure to verify your app’s identity).
  5. Include the OAuth token with each request to Google Storage API

Two different sample projects illustrate how to do this. You might want to start with GoogleStorageImpl.java showing all the low-level calls to create a JWT token and exchange it for an authentication credential.

Once you understand how it works, you can extend AbstractTwoLeggedFlowServlet to handle the token exchange for you. This is the approach I’ve taken in the App Identity Sample with OAuth2 and Google Storage. As an aside, the Maven POM in this project is a good starting point if you’re looking to call Google APIs from Java. There are lots of jars associated with Google APIs Client Library for Java available in Maven Central, and it can be confusing to figure out which ones are really needed.

Note: the sample projects above will only work if you actually deploy the code to App Engine. Google’s OAuth2 endpoint only works with production infrastructure (not your local dev server).

This article is about application identity, but if you’re also interested in user identity, be sure to check out the Google Identity Toolkit, which makes it easy for you to support login to your app from other identity providers (Yahoo, Hotmail, AOL).


11 Responses to “Using the GAE App Identity API and OAuth2”

  1. […] Using the GAE App Identity API and OAuth2 […]

  2. Hi David,

    First of all, nice post!
    I have a question, maybe you can help me.
    I have a gae application which exposes a rest api. How can I “protect” this API with OAuth2?
    Any example you can point me to?

    thanks in advance

  3. Update: App Engine for Java now has a File API for Google Cloud Storage which eliminates the need for direct HTTP calls with OAuth as shown here. http://googlecode.blogspot.com/2012/01/google-cloud-storage-concurrency.html

  4. José Rose said

    Thank you very much for your blog posts. Google’s API are being added just in time for me to use them.

    I’m trying to use Google Calendar API through an app deployed on GAE (to store events managed by the app). This post explains pretty much everything and hope I can get it to work.

    I have a question though, you said: “Note: the sample projects above will only work if you actually deploy the code to App Engine. Google’s OAuth2 endpoint only works with production infrastructure (not your local dev server).”

    How will this behave in hosted mode? Do I need to check if my app is being ran from my local host?

    Thank you for your great work!

    • Thanks, Jos. As far as I know, you won’t be able to hit the real calendar API using OAuth while running in hosted mode because the GAE dev server doesn’t simulate the Application Identity API.

  5. Update Mar 20, 2012: The App Engine capabilities described in this article have now been generalized as Service Accounts and can be used with many Google APIs independently of App Engine. http://googledevelopers.blogspot.com/2012/03/service-accounts-have-arrived.html

    • Kristofer Johansson said

      Is it possible to use the App Identity to access the Calendar API? When I attempt to post to a calendar using the service account’s OAuth-token I get the error: “The user must be signed up for Google Calendar.”
      Well, I can’t really sign the service-account up as a calendar user, can I??
      Is there another way?


      • Hi Kristofer,

        No, the App Identity API won’t help with Calendar because it requires user authorization. Have a look at http://code.google.com/apis/gdata/docs/auth/oauth.html#Examples.

      • Kristofer Johansson said

        OK, then I can stop trying this way.
        Thanks for the link, I’ve read it before but I’m not very good at this stuff yet so I’m not really shore what to make of it.
        I realize this is a little off topic but I’ve been messing with this for like 30 hours now and still have gotten nowhere.
        My problem in short:
        I have an App Engine-app that posts events into a google Calendar via Calendar API (using the oauth2decorator). It works exactly as I want it to do as long as I’m signed in as the calendar creator BUT I would like it to work the same way whether signed in or not (totally public, no auth whatsoever). The simple question: Is that possible, somehow?
        Any ideas?

        Thank you for your time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: