Authorizing an application in App Engine requires a service account, which is an account that belongs to your application instead of to an individual end user. Service accounts are used to authorize calls to Google APIs and other services.
Google offers three methods for authorizing a service account’s call to Google APIs:
|Application Default Credentials||Application Default Credentials use the built-in service account for a Google Cloud Platform project. It’s the easiest way to connect to Google Cloud Platform APIs.|
|OAuth 2.0 Authorization||OAuth 2.0 authorization is the best way to authorize app hosting, VMs, or services outside of Google Cloud. You can create your own OAuth 2.0 authorization tokens to access to Google APIs.|
|G Suite Domain-Wide Delegation of Authority||Domain-wide delegation of authority allows you to grant third party applications domain-wide access to application data. It builds on OAuth 2.0 to authorize access across a domain of G Suite accounts.|
Application default credentials
Application Default Credentials provide the easiest way to get and use service account credentials for calling other Google Cloud Platform APIs. Application Default Credentials use the built-in service account for a project running on App Engine or Compute Engine.
Application Default Credentials are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Google Cloud Platform APIs, particularly when you're building an application that is deployed to App Engine, Kubernetes Engine, or Compute Engine virtual machines.Examples for using Application Default Credentials are available in the Google Identity Platform documentation.
OAuth 2.0 authorization
If you're using app hosting or VMs outside of Google Cloud Platform, you can create your own OAuth 2.0 authorization tokens to access to Google APIs. Using OAuth 2.0 to Access Google APIs describes how to use the OAuth 2.0 libraries provided by Google to call Google APIs. For an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials), you can try the OAuth 2.0 Playground.The Google APIs Client Library for Python has special support for App Engine applications. In particular, there are decorators and classes that simplify the OAuth 2.0 protocol steps.
If you want your app to call user data from another Google service, you'll need to set up OAuth 2.0 for Web Server Applications. For example, if you want to pull a user's data from Google Drive and bring it into your app, use OAuth 2.0 for Web Server Applications to share specific data while keeping other data, such as usernames and passwords, private.
G Suite domain-wide delegation of authority
If you have a G Suite domain, an administrator of the G Suite domain can authorize an application to access user data on behalf of users in the G Suite domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a G Suite domain would use a service account to access the Google Calendar API on behalf of users.
Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account. This still uses OAuth 2.0, and requires a G Suite domain administrator to authorize domain-wide authority to the service account.
The G Suite Domain-Wide Delegation of Authority page contains examples of how to implement this. More information on using OAuth 2.0 to set up Domain consumer scenarios is available at Google Accounts Authentication and Authorization.