Geek Answers Handbook

Migrating users from Google App Engine to Google OpenID

A few months ago, I quit Google App Engine. But I still rely on this for authentication, because my users are identified by their user_id attribute in GAE.

To this end, my (now external) applications redirect the user to the Google App Engine application using an encrypted, signed and temporary login request. The GAE application then logs in using the Users GAE service. After successfully logging in to the GAE system, the user is redirected again using an encrypted, signed and timestamped response to the external application. A rudimentary implementation can be found here and here . As you can see, this is very thorough and relies on a heavy cryptograph, which leads to poor performance.

My external applications, in this case Django applications, store user_id in the password field of the user table. Besides user_id, I only get the email address from GAE to store the username and email in Django.

Now I would like to remove the dependency on the GAE service. The first approach that comes to mind probably is to send an email to each user asking them to set a new password, and then do my own authentication using Django.

I would prefer a solution based on the Google OpenID service, so that in fact there is no difference for the user. This is also preferable because I still need to send the user to Google to get AuthSub tokens for the Google Calendar API.

The problem is that I could not find a way to get the GAE user_id attribute of this Google account without using GAE. OpenID and all other authentication protocols use different identifiers.

So now the question is: does Google provide any API that I could use for this purpose that I have not seen? Are there any other possible solutions or ideas on how to migrate user accounts?

Thanks in advance!

+7
source share
4 answers

The best way to do this is to show users an "interstitial" transition that redirects them to the Google OpenID provider and prompts them to log in. Once they are signed in both places, you can map the two accounts and allow them to log into OpenID in the future.

+2
source

AFAIK, the only common identifier between Google Accounts and Google OpenID is email.

  • Receive email when a user logs into a Google Account through the current gae setup. Use User.email() . Save this email with your user data.

  • When you have emails of all (most) users, switch to Google OpenID. When a user logs in, get an email address and find that user in the database.

+1
source

Why don't you try the hybrid approach:

  • Switch to OpenId
  • If your application already knows userId, you are done
  • If you do not ask the user if he has an account for migration
  • If yes, log in with old mechansim and ttransfer acount
  • If you do not create a new account
+1
source

Google has a unique identifier that is returned as a parameter with a successful OpenID authentication request - * openid.claimed_id *. If you switch to using OpenID, you can change the user_id for this parameter when you first log on to the system using the new method without the user noticing anything in their logon experience.

The documentation for the authentication process is described here . I would recommend using the OpenID + OAuth hybrid approach so that you can associate the request token with this identifier, and then, after returning, make sure openid.claimed_id matches your original request marker.

0
source

More articles:


All Articles