It'll have to work similar to how OAuth works with a window redirect. The issue with domains is that Users will be giving their credentials to a potentially untrustworthy site, and this isn't something we want our users to do.
We can certainly do more with authentication. For instance, if you are logged into your Google account and go to YouTube, if you click "log in", it'll log you in and redirect you. The user sees a bit of a delay as the redirects take place, but it's otherwise invisible. We could probably do something like this if you have logged into the given application before. One issue is with revocation: we'd need to build something into the global Google Accounts infrastructure that allows for OAuth-like granting and revocation of access to specific applications. On Tue, Mar 2, 2010 at 1:53 PM, Toby <toby.ro...@gmail.com> wrote: > Hello Ikai, > > I guess many of us have the same problem. It would be good to have > some general advice on that. > Unfortunatly GAE only offers build in authentication for the admin > users or for users within a apps domain. > > So what I did is a simple table with the users gmail addresses that > are allowed to access my app. If I can retrieve a user from the > content and his/her email corresponds to the one I have saved, I let > them in. > UserServiceFactory.getUserService().getCurrentUser() > > If not I redirect them to the Google login page: > > response.sendRedirect(UserServiceFactory.getUserService().createLoginURL(redirect)); > > This solution works quite well but somehow I do not like it. I have > the strong feeling that I build something that must already be there > somehow. > Also users have not the option to add my site as "trusted" so they > have to log in whenever they come back to my page. I do not know how > to work around that. > The only advantage is that I can have alternatively the possibility > for users to create an extra account on my site... > > You mentioned oauth and somewhere I read about friendconnect. I can > not see how exactly that fits into the framework. Why cant we just > have a google authentication build into GAE. With a users list as we > do for the account admins and a simple rule to throw into the web.xml. > +some way for users to self-register if the application developer > wants that.This way no-one needs to reinvent the wheel. > > Does such a thing maybe already exist? Or is it on the road-map? Or is > there a good approach you would advice? > > Thanks, > > Toby > > > > > On Feb 22, 8:09 pm, "Ikai L (Google)" <ika...@google.com> wrote: > > Providing a login inside a frame is a compromise you should never, ever > > make. You're essentially training your users to be victims of phishing > > attacks. By providing a login in a frame, you're essentially removing > every > > single security mechanism browsers provide to attempt to ensure users > that > > the site they are on is really the site they are on and not a password > > stealing site. This is why many companies go out of their way to provide > > OAuth:http://oauth.net- because this allows client developers a way to > > authenticate users against another site's identity mechanism without > having > > users send their credentials to a potentially untrusted site itself. > > > > Granted, there's a bit of a disconnect on login, but this is a price > we'll > > have to pay just because this is one of the failings of browser security. > > Savvy users have already caught on to this, and more and more mainstream > > users will as well. This is a stopgap - when browsers are able to provide > > native authentication mechanisms, we shouldn't have to do this anymore, > but > > we have a ways to go before this sort of thing will exist. > > > > On Sun, Feb 21, 2010 at 3:21 PM, John V Denley > > <johnvden...@googlemail.com>wrote: > > > > > > > > > The frame works fine when logging in. If its a security risk please > > > elaborate, Im onlt using Google accounts because I dont really know > > > how to do my own security, and Im guessing that even using google via > > > a frame is more secure than trying to do it myself! > > > > > When creating an account it does not take the user back to the > > > original page as there is a total disconnect after the user clicks on > > > the link in the email sent from google. Google have informed me that > > > this is a known issue, but has a low priority (which is > > > understandable). > > > > > I have now created what I think is a reasonable compromise. Only time > > > will tell if our potential customers are ok with the process! > > > > > On Feb 18, 7:04 pm, Brian <bwa...@gmail.com> wrote: > > > > You shouldn't use a frame. It is a security problem, and right of > > > > google login code to break out of it. > > > > > > After they make a new account, if not using a frame, I believe it > > > > forwards the user back to the page they were trying to go to. Seems > to > > > > work pretty well. > > > > > > On Feb 18, 8:40 am, John V Denley <johnvden...@googlemail.com> > wrote: > > > > > > > I have been trying to leverage google accounts for security for my > > > > > users, but the way its working is really preventing useability > within > > > > > my application, its very frustrating > > > > > > > Ive just spent the best part of the last week trying to get the > google > > > > > account login to work in an frame within my application. Ive run > into > > > > > a number of related issues (see other threads in the GWT group) > which > > > > > I have manage to work through finally. (Thanks to everyone who > helped > > > > > out and provided input) > > > > > > > However, I have just tried clicking on the "create an account now" > > > > > link which is what will be used by any new user who doesnt > currently > > > > > have a google account, but the account creation window has "frame > > > > > breakout" code on it, which takes my users away from my application > > > > > again, and then after clicking on the email link to confirm thier > new > > > > > account, the user is NOT taken back to my application but are just > > > > > congratulated for creating a google account. > > > > > > > The problem is that the user is then left thinking "now what do i > do?" > > > > > and several of the people we are talking to have just given up at > that > > > > > point! > > > > > > > Has anyone else successfully integrated Google accounts into their > > > > > applications? > > > > > > > Should I create my own logins rather than using Google accounts? I > > > > > have struggled with getting a consistent answer to the problem of > how > > > > > to send passwords to the server given that GAE doesnt support SSL > or > > > > > HTTPS yet. Everyone seems to say that any client side encoding is > > > > > pointless, but it seems to me that some form of encoding has to be > > > > > better than not encoding at all!! > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Google App Engine for Java" group. > > > To post to this group, send email to > > > google-appengine-j...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com> > <google-appengine-java%2bunsubscr...@googlegroups.com<google-appengine-java%252bunsubscr...@googlegroups.com> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/google-appengine-java?hl=en. > > > > -- > > Ikai Lan > > Developer Programs Engineer, Google App Enginehttp:// > googleappengine.blogspot.com|http://twitter.com/app_engine > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > google-appengine-j...@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- Ikai Lan Developer Programs Engineer, Google App Engine http://googleappengine.blogspot.com | http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
