App Identity Python API Overview

Python |Java |PHP |Go
Code sometimes needs to determine the identifier of the application in which it is executing. This may be to generate a URL or email address, or possibly to make some run-time decision. App Engine includes an Application Identity service for this purpose.

  1. Identifying itself
  2. Asserting identity to other App Engine apps
  3. Asserting identity to Google APIs
  4. Asserting identity to other systems

Identifying itself

Application ID

The application ID can be found using the app_identity.get_application_id() method. The WSGI or CGI environment exposes some implementation details which are handled by the API.

Versioned hostnames

A related operation is the need to get the hostname part of a URL to the application. You can use the app_identity.get_default_version_hostname() method for this purpose. This is useful in certain scenarios when the application is not available at http://your_app_id.appspot.com.

Asserting identity to other App Engine apps

If you want to determine the identity of the App Engine app that is making a request to your App Engine app, you can use the request header X-Appengine-Inbound-Appid. This header is added to the request by the URLFetch service and is not user modifiable, so it safely indicates the requesting application's ID, if present.

In order for this header to be added to the request, the app making the request must tell the UrlFetch service to not follow redirects when it invokes URLFetch. That is, it must set the fetch follow_redirects parameter to False. App Engine will then automatically add the header to the HTTP response.

In your application handler, you can check the incoming ID by reading the X-Appengine-Inbound-Appid header and comparing it to a list of IDs allowed to make requests.

The following snippet shows a handler that checks an incoming app ID against a list of allowed app IDs:

import webapp2

ALLOWED_APP_IDS = ('cp-thre-pio', 'r-two-deetu')

class AssertIDHandler(webapp2.RequestHandler):
    def dispatch(self):
        app_id = self.request.headers.get('X-Appengine-Inbound-Appid', None)

        if app_id in ALLOWED_APP_IDS:
            # do something ...

Asserting identity to Google APIs

Many Google APIs support OAuth assertions to identify the source of the request. The App Identity API provides a service that creates tokens that can be used to assert that the source of a request is the application itself. The get_access_token() method returns an access token for a scope, or list of scopes. This token can then be set in the HTTP headers of a call to identify the calling application.

The following illustrates a REST call to the Google URL Shortener API. Note that the Google API Client Libraries can also manage much of this for you automatically.

import logging
    import json                # Python 2.7.
except ImportError:
    import simplejson as json  # Python 2.5.

from google.appengine.api import app_identity
from google.appengine.api import urlfetch

def create_short_url(long_url):
    scope = "https://www.googleapis.com/auth/urlshortener"
    authorization_token, _ = app_identity.get_access_token(scope)
    logging.info("Using token %s to represent identity %s",
                 authorization_token, app_identity.get_service_account_name())
    payload = json.dumps({"longUrl": long_url})
    response = urlfetch.fetch(
            headers = {"Content-Type": "application/json",
                       "Authorization": "Bearer " + authorization_token})
    if response.status_code == 200:
        result = json.loads(response.content)
        return result["id"]
    raise Exception("Call failed. Status code %s. Body %s",
                    response.status_code, response.content)

Note that the application's identity is represented by the service account name, which is typically applicationid@appspot.gserviceaccount.com. You can get the exact value by using the get_service_account_name() method. For services which offer ACLs, you can grant the application access by granting this account access.

Asserting identity to other systems

The token generated by get_access_token() only works against Google systems. However you can use the underlying signing technology to assert the identity of your application to other systems. The sign_blob() method will sign bytes using a private key unique to your application, and the get_public_certificates() method will return certificates which can be used to validate the signature.