App Engine applications can authenticate users using one of these methods: Google Accounts or accounts on your own Google Apps domains. An application can detect whether the current user has signed in, and can redirect the user to the appropriate sign-in page to sign in or, if your app uses Google Accounts authentication, create a new account. While a user is signed in to the application, the app can access the user's email address . The app can also detect whether the current user is an administrator, making it easy to implement admin-only areas of the app.
- User authentication in Go
- OAuth in Go
- Authentication options
- Signing in and out
- Accessing account information
- Google accounts and the development server
User authentication in Go
The following example greets a user who has signed in to the app with a personalized message and a link to sign out. If the user is not signed in, the app offers a link to the sign-in page for Google Accounts.
Enforcing sign in and admin access with app.yaml
If you have pages that require the user to be signed in in order to access, you can enforce this in your
The handler configuration can also require that the user be a registered administrator for the application. This makes it easy to build administrator-only sections of the site, without having to implement a separate authorization mechanism.
To learn how to configure authentication for URLs, see Requiring Login or Administrator Status.
OAuth in Go
In addition to the standard user authentication modes, users may be identified to your app via OAuth. OAuth is a protocol that allows a user to grant a third party limited permission to access a web application on his or her behalf, without sharing his or her credentials (username and password) with the third party. More information on the OAuth API, including the interaction required by clients, can be found in the OAuth documentation.
Note that using OAuth to identify your users is completely orthogonal to the standard user authentication modes. For example, pages marked with
login: required or
login: admin will refuse to load if the user is only authenticated via OAuth.
Here is a simple example of accessing OAuth user information in a Go request handler:
Your app can authenticate users using one of these options:
- A Google Account
- An account on your Google Apps domain
Choosing an authentication option
After you create your app, you can choose the authentication option you want to use. By default, your app will use Google Accounts for authentication. To choose another option, such as Google Apps domain, go to the settings page for your project in the Google Cloud Platform Console and click Edit. In the Google authentication dropdown menu, select the desired authentication type, and then click Save.
Signing in and out
An application can detect whether a user has signed in to the app with your app's chosen authentication option. If the user is not signed in, the app can direct the user to Google Accounts to sign in or create a new Google account. The app gets the URL for the sign-in page by calling a method of the Users API. The app can display this URL as a link, or it can issue an HTTP redirect to the URL when the user visits a page that requires authentication.
If your app uses Google Accounts or Google Apps for authentication, the name of your application appears on the sign-in page when the user signs in to your application, using the application name you chose when registering the application. You can change your application name in the Google Cloud Platform Console projects page. Click on the pencil icon for the project you want to rename.
Once the user has signed in or created a Google account, the user is redirected back to your application. The app provides the redirect URL to the method that generates the sign-in URL.
The Users API includes a method to generate a URL for signing out of the app. The sign-out URL de-authenticates the user from the app, then redirects back to the app's URL without displaying anything.
A user is not signed in to an application until she is prompted to do so by the app and enters her account's email address and password. This is true even if the user has signed in to other applications using her Google Account.
Accessing account information
While a user is signed in to an app, the app can access the account's email address for every request the user makes to the app. The app can also access a user ID that identifies the user uniquely, even if the user changes the email address for her account.
The app can also determine whether the current user is an administrator (a "developer") for the app. You can use this feature to build administrative features for the app, even if you don't authenticate other users. The Go, Java, PHP and Python APIs make it easy to configure URLs as "administrator only".
Google accounts and the development server
The development server simulates the Google Accounts system using a dummy sign-in screen. When your application calls the Users API to get the URL for the sign-in screen, the API returns a special development server URL that prompts for an email address, but no password. You can type any email address into this prompt, and the app will behave as if you are signed in with an account with that address.
The dummy sign-in screen also includes a checkbox that indicates whether the dummy account is an administrator. If you check this box, the app will behave as if you are signed in using an administrator account.
Similarly, the Users API returns a sign-out URL that cancels the dummy sign-in.