選択した認証オプションを使用してユーザーがアプリにログイン済みかどうかをアプリで検出できます。ユーザーがログインしていない場合は、Google アカウントでのログインまたは新しい Google アカウント作成のページに移動させることができます。ログインページの URL をアプリで取得するには、Users API のメソッドを呼び出します。認証を必要とするページをユーザーが訪問した際、アプリでこの URL をリンクとして表示するか、URL への HTTP リダイレクトを発行します。
Google アカウントまたは Google Workspace を認証に使用するアプリの場合、ユーザーがログインするときに、そのアプリケーションの名前がログインページに表示されます。表示される名前は、アプリケーションの登録時に指定したアプリケーション名です。この名前は、 Google Cloud コンソールの [認証情報] ページの [アプリケーション名] フィールドで変更できます。
ログインまたは Google アカウントの作成が完了すると、ユーザーは再びアプリケーションにリダイレクトされます。アプリは、ログイン URL を生成するメソッドにリダイレクト URL を渡します。
Users API には、アプリからログアウトするための URL を生成するメソッドがあります。このログアウト URL は、アプリに対するユーザーの認証を解除してから、元のアプリの URL にリダイレクトしますが、特に何かを表示することはありません。
ユーザーがアプリにログインした状態になるのは、アプリの画面の指示に従ってユーザーが自身のアカウントのメールアドレスとパスワードを入力した場合のみです。これは、ユーザーが自身の Google アカウントを使用して別のアプリにログインした場合にも該当します。
アカウント情報にアクセスする
ユーザーがアプリにログインした状態である間は、ユーザーがアプリに対してリクエストを行うたびにアプリからアカウントのメールアドレスにアクセスできます。アプリからユーザー ID にアクセスすることもできます。ユーザー ID はユーザーを一意に識別するものであり、これはユーザーがアカウントのメールアドレスを変更した場合であっても同様です。
アプリは現在のユーザーが管理者かどうかを特定することもできます。管理ユーザーとは、閲覧者、編集者、オーナー、App Engine アプリ管理者のロールが付与されているユーザーです。この機能を利用すると、アプリの管理用の機能を開発できます。他のユーザーは認証不要であってもかまいません。Go、Java、PHP、Python の API を利用して、URL を「管理者専用」に簡単に構成できます。
ユーザーとデータストア
User Service API は、現在のユーザーの情報を User オブジェクトとして返すことができます。User オブジェクトはプロパティ値としてデータストアに格納できますが、これは避けることを強くおすすめします。このようにすると、メールアドレスもユーザーの一意の ID とともに保存されるからです。ユーザーがメールアドレスを変更すると、そのユーザーの古いメールアドレス(User に格納されている)と新しい User の値を比較したときに一致しません。代わりに、User のユーザー ID 値をユーザーの不変の一意の ID として使用します。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[[["\u003cp\u003eThe Users API allows applications to check if a user is signed in, redirect them to sign-in pages, and request the creation of new Google accounts if necessary.\u003c/p\u003e\n"],["\u003cp\u003eWhile a user is signed in, applications can access their email address and a unique user ID, as well as determine if they are an administrator with specific roles like Viewer, Editor, Owner, or App Engine Admin.\u003c/p\u003e\n"],["\u003cp\u003eApplications can enforce sign-in and administrator access requirements for specific URLs directly in the \u003ccode\u003eapp.yaml\u003c/code\u003e file, redirecting users to sign-in pages if needed and back to the app upon successful authentication.\u003c/p\u003e\n"],["\u003cp\u003eApps can authenticate users using either a Google Account or an account on a Google Workspace domain, with Google Accounts being the default and can be changed in the console.\u003c/p\u003e\n"],["\u003cp\u003eThe Users API provides methods to generate both sign-in and sign-out URLs, handling redirection and authentication, and the development server uses a fake sign-in screen for testing purposes, simulating Google Account authentication without requiring actual passwords.\u003c/p\u003e\n"]]],[],null,["# Users API for legacy bundled services\n\nThe Users API allows an application to:\n\n- Detect whether the current user has signed in.\n- Redirect the user to the appropriate sign-in page to sign in.\n- Request that your application user create a new Google account if they don't have one already.\n\n| This API is supported for first-generation runtimes and can be used when [upgrading to corresponding second-generation runtimes](/appengine/docs/standard/\n| python3\n|\n| /services/access). If you are updating to the App Engine Python 3 runtime, refer to the [migration guide](/appengine/migration-center/standard/migrate-to-second-gen/python-differences) to learn about your migration options for legacy bundled services.\n\nWhile a user is signed in to the application, the app can access the user's\nemail address, as well as a unique user ID.\nThe app can also detect whether the current user is an\nadministrator (also called \"admin user\"),\nmaking it easy to implement admin-only areas of the app.\n| **Note:** An *admin* user is any user that has the Viewer, Editor, Owner, or App Engine Admin [role](https://cloud.google.com/appengine/docs/legacy/standard/python/roles). For more information on setting user roles, see [Roles that Grant Access to\n| App Engine](/appengine/docs/legacy/standard/python/access-control).\n\nUser authentication in Python 2\n-------------------------------\n\nThe following example greets a user who has signed in to the app with a\npersonalized message and a link to sign out. If the user is not signed in, the\napp offers a link to the sign-in page for Google Accounts.\n\nFirst, import the\n[`google.appengine.api.users`](/appengine/docs/legacy/standard/python/refdocs/google.appengine.api.users)\nmodule. \n\n from google.appengine.api import users\n\nThen use it to get information about the user: \n\n user = users.get_current_user()\n if user:\n nickname = user.nickname()\n logout_url = users.create_logout_url('/')\n greeting = 'Welcome, {}! (\u003ca href=\"{}\"\u003esign out\u003c/a\u003e)'.format(\n nickname, logout_url)\n else:\n login_url = users.create_login_url('/')\n greeting = '\u003ca href=\"{}\"\u003eSign in\u003c/a\u003e'.format(login_url)\n\n### Enforcing sign in and admin access with app.yaml\n\nIf you have pages that require the user to be signed in order to\naccess, you can enforce this in your `app.yaml`\nfile. If a user accesses a URL configured\nto require sign-in and the user is not signed in, App Engine redirects the user\nto the appropriate Google sign-in page, then directs the user back to your app's\nURL after signing in or registering successfully.\n\n\u003cbr /\u003e\n\nThe handler configuration can also require that the user be a\nregistered administrator for the application; that is, the user must have the\nViewer, Editor, Owner, or App Engine Admin\n[role](https://cloud.google.com/appengine/docs/legacy/standard/python/roles).\nThis makes it easy to build administrator-only sections of the site, without\nhaving to implement a separate authorization mechanism.\n\nTo learn how to configure authentication for URLs, see how to require login or\nadministrator status in the\n[`app.yaml` reference](/appengine/docs/legacy/standard/python/config/appref#handlers_login).\n\nAuthentication options\n----------------------\n\nYour app can authenticate users using one of these options:\n\n- A Google Account\n- An account on your Google Workspace domain\n\n### Choosing an authentication option\n\nAfter you create your app, you can choose the authentication option you want to\nuse. By default, your app will use Google Accounts for authentication. To choose\nanother option, such as Google Workspace domain, go to the\n[settings](https://console.cloud.google.com/appengine/settings) page for your project\nin the Google Cloud console and click **Edit** . In the *Google authentication*\ndropdown menu, select the desired authentication type, and then click **Save**.\n\nSigning in and out\n------------------\n\nAn application can detect whether a user has signed in to the app with your\napp's chosen authentication option. If the user is not signed in, the app can\ndirect the user to Google Accounts to sign in or create a new Google account.\nThe app gets the URL for the sign-in page by calling a method of the Users API.\nThe app can display this URL as a link, or it can issue an HTTP redirect to the\nURL when the user visits a page that requires authentication.\n\nIf your app uses Google Accounts or Google Workspace for authentication,\nthe name of your application appears on the sign-in page when the user signs in\nto your application. The name shown is the application name that you specified\nwhen registering the application. You can change this name in the **Application\nname** field of the Google Cloud console\n[Credentials](https://console.cloud.google.com/apis/credentials/consent) page.\n\nOnce the user has signed in or created a Google account, the user is redirected\nback to your application. The app provides the redirect URL to the method that\ngenerates the sign-in URL.\n\nThe Users API includes a method to generate a URL for signing out of the app.\nThe sign-out URL de-authenticates the user from the app, then redirects back to\nthe app's URL without displaying anything.\n\nA user is not signed in to an application until they are prompted to do so by the\napp and enter their account's email address and password. This is true even if\nthe user has signed in to other applications using their Google Account.\n\nAccessing account information\n-----------------------------\n\nWhile a user is signed in to an app, the app can access the account's email\naddress for every request the user makes to the app. The app can also access a\nuser ID that identifies the user uniquely, even if the user changes the email\naddress for their account.\n\nThe app can also determine whether the current user is an administrator for the\napp. An *admin* user is any user that has the Viewer, Editor, Owner, or App\nEngine Admin\n[role](https://cloud.google.com/appengine/docs/legacy/standard/python/roles).\nYou can use this feature to build administrative features for the app, even if\nyou don't authenticate other users. The Go, Java, PHP and Python APIs make it\neasy to configure URLs as \"administrator only\".\n| **Note:** Every user has the same user ID for all App Engine applications. If your app uses the user ID in public data, such as by including it in a URL parameter, you should use a hash algorithm with a \"salt\" value added to obscure the ID. Exposing raw IDs could allow someone to associate a user's activity in one app with that in another, or get the user's email address by coercing the user to sign in to another app.\n\nUsers and the Datastore\n-----------------------\n\nThe Users service API can return the current user's information as a User object.\nAlthough User objects can be stored as a property value in the datastore, we\nstrongly recommend that you avoid doing so because this includes the email\naddress along with the user's unique ID. If a user changes their email address\nand you compare their old, stored `User` to the new `User`\nvalue, they won't match. Instead, consider using the `User`\n*user ID value* as the user's stable unique identifier.\n\n\nGoogle accounts and the development server\n------------------------------------------\n\nThe development server simulates the Google Accounts system using a fake\nsign-in screen. When your application calls the Users API to get the URL for the\nsign-in screen, the API returns a special development server URL that prompts\nfor an email address, but no password. You can type any email address into this\nprompt, and the app will behave as if you are signed in with an account with\nthat address.\n\nThe fake sign-in screen also includes a checkbox that indicates whether the\nfake account is an administrator; that is, whether the account has the\nViewer, Editor, Owner, or App Engine Admin\n[role](https://cloud.google.com/appengine/docs/legacy/standard/python/roles). If\nyou check this box, the app will behave as if you are signed in using an\nadministrator account.\n\nSimilarly, the Users API returns a sign-out URL that cancels the fake sign-in.\n\nThe unique ID for a User object in the development server is calculated from the\nemail address. Two unique email addresses always represent two unique users in\nthe development server."]]