Authorizing an application in Google App Engine requires a service account, which is an account that belongs to your application instead of to an individual end user. Service accounts are used to authorize calls to Google APIs and other services.
Google offers three methods for authorizing a service account’s call to Google APIs:
|Application Default Credentials||Application Default Credentials use the built-in service account for a Google Cloud Platform project. It’s the easiest way to connect to Google Cloud Platform APIs.|
|OAuth 2.0 Authorization||OAuth 2.0 authorization is the best way to authorize app hosting, VMs, or services outside of Google Cloud. You can create your own OAuth 2.0 authorization tokens to access to Google APIs.|
|Google Apps Domain-Wide Delegation of Authority||Domain-wide delegation of authority allows you to grant third party applications domain-wide access to application data. It builds on OAuth 2.0 to authorize access across a domain of Google Apps accounts.|
Application default credentials
Application Default Credentials provide the easiest way to get and use service account credentials for calling other Google Cloud Platform APIs. Application Default Credentials use the built-in service account for a project running on Google App Engine or Google Compute Engine.
Application Default Credentials are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Google Cloud Platform APIs, particularly when you're building an application that is deployed to Google App Engine, Google Container Engine, or Google Compute Engine virtual machines.Examples for using Application Default Credentials are available in the Google Identity Platform documentation.
OAuth 2.0 authorization
If you're using app hosting or VMs outside of Google Cloud Platform, you can create your own OAuth 2.0 authorization tokens to access to Google APIs. Using OAuth 2.0 to Access Google APIs describes how to use the the OAuth 2.0 libraries provided by Google to call Google APIs. For an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials), you can try the OAuth 2.0 Playground.The Google APIs Client Library for Python has special support for Google App Engine applications. In particular, there are decorators and classes that simplify the OAuth 2.0 protocol steps.
If you want your app to call user data from another Google service, you'll need to set up OAuth 2.0 for Web Server Applications. For example, if you want to pull a user's data from Google Drive and bring it into your app, use OAuth 2.0 for Web Server Applications to share specific data while keeping other data, such as usernames and passwords, private.
Google Apps domain-wide delegation of authority
If you have a Google Apps domain, an administrator of the Google Apps domain can authorize an application to access user data on behalf of users in the Google Apps domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Apps domain would use a service account to access the Google Calendar API on behalf of users.
Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account. This still uses OAuth 2.0, and requires a Google Apps domain administrator to authorize domain-wide authority to the service account.
The Google Apps Domain-Wide Delegation of Authority page contains examples of how to implement this. More information on using OAuth 2.0 to set up Domain consumer scenarios is available at Google Accounts Authentication and Authorization.