What are the different options for social authentication on Appengine - how do they compare?

2024/4/14 18:24:26

[This question is intended as a means to both capture my findings and sanity check them - I'll put up my answer toute suite and see what other answers and comments appear.]

I spent a little time trying to get my head around the different social authentication options for (python) Appengine. I was particularly confused by how the authentication mechanisms provided by Google can interact with other social authentication mechanisms. The picture is complicated by the fact that Google has nice integration with third party OpenID providers but some of the biggest social networks are not OpenID providers (eg facebook, twitter). [Note that facebook can use OpenID as a relaying party, but not as a provider].

The question is then the following: what are the different options for social authentication in Appengine and what are the pros and cons of each?


In my research on this question I found that there are essentially three options:

  1. Use Google's authentication mechanisms (including their federated login via OpenID)

    • Pros:
      • You can easily check who is logged in via the Users service provided with Appengine
      • Google handles the security so you can be quite sure it's well tested
    • Cons:
      • This can only integrate with third party OpenID providers; it cannot integrate with facebook/twitter at this time
  2. Use the social authentication mechanisms provided by a known framework such as tipfy, or django

    • Pros:
      • These can integrate with all of the major social authentication services
      • They are quite widely used so they are likely to be quite robust and pretty well tested
    • Cons:
      • While they are probably well tested, they may not be maintained
      • They do come as part of a larger framework which you may have to get comfortable with before deploying your app
  3. Roll your own social authentication

    • Pros:
      • You can do mix up whatever flavours of OpenID and OAuth tickles your fancy
    • Cons:
      • You are most likely to introduce security holes
      • Unless you've a bit of experience working with these technologies, this is likely to be the most time consuming

Further notes:

  • It's probable that everyone will move to OpenID eventually and then the standard Google authentication should work everywhere
  • The first option allows you to point a finger at Google if there is a problem with their authentication; the second option imposes more responsibility on you, but still allows you to say that you use a widely used solution if there is a problem and the final option puts all the responsibility on you
  • Most of the issues revolve around session management - in case 1, Google does all of the session management and it is pretty invisible to the developer; in case 2, the session management is handled by the framework and in the 3rd case, you've to devise your own.

Related Q&A

Is there any way to get source code inside context manager as string?

Source code of function can be received with inspect.getsourcelines(func) function. Is there any way to do same for context manager?with test():print(123)# How to get "print(123)" as line he…

Create temporary file in Python that will be deleted automatically after sometime

Is it possible to create temporary files in python that will be deleted after some time? I checked tempfile library which generates temporary files and directories.tempfile.TemporaryFile : This functi…

Python GTK+ Canvas

Im currently learning GTK+ via PyGobject and need something like a canvas. I already searched the docs and found two widgets that seem likely to do the job: GtkDrawingArea and GtkLayout. I need a few b…

Python, can someone guess the type of a file only by its base64 encoding?

Lets say I have the following:image_data = """iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="""This i…

Extract only body text from arXiv articles formatted as .tex

My dataset is composed of arXiv astrophysics articles as .tex files, and I need to extract only text from the article body, not from any other part of the article (e.g. tables, figures, abstract, title…

why is python reusing a class instance inside in function

Im running a for loop inside a function which is creating instances of a class to test them. instead of making new classes it appears to be reusing the same two over and over.Is there something Im miss…

How to set locale in Altair?

Im successfully creating and rendering a chart in Altair with a currency prefix ($), but I need this to be set to GBP (£). I know that theres a Vega-lite formatLocale which can be set, but I cant …

Show/hide a plots legend

Im relatively new to python and am developing a pyqt GUI. I want to provide a checkbox option to show/hide a plots legend. Is there a way to hide a legend? Ive tried using pyplots _nolegend_ and it ap…

Difference between iterating over a file-like and calling readline

I always thought iterating over a file-like in Python would be equivalent to calling its readline method in a loop, but today I found a situation where that is not true. Specifically, I have a Popend p…

Creating `input_fn` from iterator

Most tutorials focus on the case where the entire training dataset fits into memory. However, I have an iterator which acts as an infinite stream of (features, labels)-tuples (creating them cheaply on …