2

I'm writing an application on GAE that is exposing a RESTlike API to a fixed number of remote servers which may be using any OS/software. At the moment I'm pondering how to identify and authenticate these remote servers painlessly.
I'm trying to avoid having to program too much of this myself for obvious security concerns.

If I'd were on an Apache or nginx I'd use SSL client certificates and let the clients choose whatever they want to contact the API, curl, webapp, whatever.
I understand that, at this time, GAE doesn't provide checking client certificates this way.

Is there any other way to do this in GAE with Py2.7?
If this is not possible or a very big hassle, can anyone point me to another good way to identify and authenticate remote servers in a situation like this?

I can only post two links of what I checked
https://groups.google.com/forum/?fromgroups=#!topic/google-appengine-python/c5PHMrAMAcI
https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app
plus much more over the last few days. I found some questions which are similar to mine, but none with a satisfying answer, to me at least.

Carsten Germer
  • 23
  • 2
  • there's an oauth2 module you can drop right in, but I've not quite got my head around it yet myself. – Paul Collingwood Nov 08 '12 at 10:18
  • Jep, true, using OAuth already. But that's for identifying and authenticating _Users_ my service may not even know yet, id and auth through Facebook or Twitter or such. For identifying and authenticating fixed remote machines it's not the right thing, as I understand OAuth. – Carsten Germer Nov 08 '12 at 14:27
  • The example I've been working through uses OAuth to authenticate your application so it can access another applications services. Have a look at this https://developers.google.com/prediction/docs/libraries it has a full write up. Perhaps not suitable, but it does seem OA can be used for more then users. – Paul Collingwood Nov 08 '12 at 14:31
  • Paul, found this http://stackoverflow.com/questions/776679/using-oauth-for-server-to-server-authentication and will have a look into OAuth 2-legged. But still looking for something that's handled outside of my code, like Apache or Nginx client certificate authentication. – Carsten Germer Nov 08 '12 at 14:37
  • OAuth2 two-legged http://architects.dzone.com/articles/2-legged-oauth-oauth-10-and-20 but I can't find any examples or articles for GAE. _Plus_, and that's the crux, it seems very complicated, I would rather not use it - risk of opening vulnerabilities with self written code. – Carsten Germer Nov 08 '12 at 15:06
  • good luck. Last link that may be of interest: https://developers.google.com/api-client-library/python/guide/aaa_oauth and http://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client-module.html – Paul Collingwood Nov 08 '12 at 15:09

1 Answers1

1

I'd suggest looking into Google Cloud Endpoints, which is currently in the trusted tester phase. I discuss it in more detail in this answer, but the main things you'll get are:

  • An easy way to define your API
  • Automatic support for OAuth 2

We're primarily targeting developers building APIs in their application backends, but other "same party" (e.g. you're the API developer and consumer) uses should work equally well.

Community
  • 1
  • 1
Dan Holevoet
  • 9,183
  • 1
  • 33
  • 49
  • Thanks Dan. This looks like the solution to exactly what we're doing here. Crossing my fingers it's going to be available in time ;-) – Carsten Germer Nov 12 '12 at 11:08