Thanks all. Ikai Lan, the security issue I was thinking of was session
hijacking. But I've since come across gae-sessions (https://github.com/
dound/gae-sessions) and am taking them on their word that they've got
that figured out. :-)
So what I'm doing now is creating a user object upon oauth sign
One thing to keep in mind is that LinkedIn's API does not provide a
method to obtain a User's email address. On my site, when a user
signs in, I check whether their LinkedIn ID already exists in my
database. If it doesn't, I prompt them to register their email
address the first time they sign in.
Yeah, you'd have to handle your own users. Use a unique identifier for the
User as the key. What security issues were you worried about?
--
Ikai Lan
Developer Programs Engineer, Google App Engine
Blogger: http://googleappengine.blogspot.com
Reddit: http://www.reddit.com/r/appengine
Twitter: http:/
Thanks for the feedback Ikai!
So it sounds like if I want to use linkedin as my only "login" option
using their oauth service, then I'll need to roll my own management of
users, rather than relying on the users service. It seems like
users.get_current_user() would not work for me if I'm neither us
