27

I would like to roll my own login system for my python Google App Engine application (rather than using Google's users api).

I am using webapp2, and I noticed that there is a webapp2_extras.auth module and an incomplete auth tutorial.

Does anyone know how I can use this API to create:

  • User Registration (take an email and password, and perhaps verify email)
  • User Login with email and password

Once I have the email and password, where do I store it? In the AuthStore? And how do I authenticate against the AuthStore?

zzz
  • 2,515
  • 4
  • 28
  • 38
  • You can check this blog post: [User authentication with webapp2 on Google App Engine](http://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/). It describes the steps you need to take in order to build your own authentication layer by leverage functionalities already included in webapp2. It is an elaboration of the procedure needed to get the code linked in Eric's answer working. (Disclosure: I initially wrote that post in an attempt to fix the lack of documentation) – abahgat Mar 10 '13 at 10:49

2 Answers2

4

How and where you store user credentials and information is entirely up to you; the webapp2 module you reference merely provides an interface you must conform to if you want to use its features. An obvious (perhaps the only sensible) choice would be the datastore.

I'd strongly, strongly recommend using the built in OpenID support instead of rolling your own, though. By doing so, you're forcing users to create yet another username and password, and you're taking on a whole set of password storage and security hassles for yourself.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198
  • 1
    I generally agree with your answer. I actually have already implemented [janrain's social login](http://www.janrain.com/products/engage/social-login) with openID, facebook, google login etc. However, I am concerned there may be a significant percentage of users who are uncomfortable/unfamiliar with openID/social login, and they will not use my site if the only option is to sign in with another account. Do you think my concern is valid? – zzz Oct 04 '11 at 04:17
  • 2
    @EricGustavson It depends entirely on your user base. There are other users who will be uncomfortable with creating new accounts for your site. OpenID and federated signin (eg, facebook's) is getting more and more common, though, so optimizing for these users is a little like optimizing for IE6. – Nick Johnson Oct 04 '11 at 04:47
  • 1
    @NickJohnson - is there a nice way that the built in appengine OpenID support can play nice with facebook? More specifically, do you know of any nice solutions which can leverage built in OpenID for OpenID based login and use facebook's OAuth 2.0 based mechanisms in the case the user wants to use facebook login? (Having looked at it, my impression was that it really was necessary to roll your own authentication mechanism if both OpenID and OAuth was required). – Sean M Oct 04 '11 at 09:57
  • 1
    @Sean Nothing built-in. You can use App Engine's OpenID for providers that support that, and OAuth/something else in conjunction with a sessions library for providers that don't.q – Nick Johnson Oct 04 '11 at 10:29
  • 1
    @NickJohnson - Thanks - don't fully get that - will move discussion from here to a more specific q. – Sean M Oct 04 '11 at 11:37
  • I opened this up as another question on the ux stackexchange site: http://ux.stackexchange.com/questions/12300/social-login-adoption-vs-traditional-login – zzz Oct 07 '11 at 15:39
  • It's hard to get excited about OpenID and OAuth when the lead author and editor resigned from the OAuth2 project because it falls far short of expectations: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ – Brent Washburne Jun 10 '13 at 18:01
  • @BrentWashburne That speaks badly about the OAuth2 standards process - but it doesn't say anything about OAuth 1, let alone OpenID. – Nick Johnson Jun 11 '13 at 16:01
  • The point of OAuth2 was to address the shortcomings of both OAuth 1 and OpenID. While I appreciate the intentions of OAuth 1 and OpenID, they are incomplete. These protocols are still moving targets making them difficult to implement and subject to change. I'll wait for OAuth3.1 (a still fictitious version). – Brent Washburne Jun 11 '13 at 16:31
3

New answer to an old question: Anyone looking to add own authentication and login to webapp2 on Google App Engine should consider Google App Engine Boilerplate.

Signup, login, logout, password reset, federated login (Google, Twitter, Facebook, etc), user profiles, etc are implemented.

Technologies leveraged include, Python 2.7, NDB, Jinja2, WTForms, unittest, webtest, pyquery, OpenID (Google App Engine), and OAuth2 (for federated login providers that do not support OpenID).

Online demo is here.

kjhughes
  • 106,133
  • 27
  • 181
  • 240