Hi Sandeep, I would have thought that by using Google Accounts to authenticate users it would eliminate the need for having a login page altogether. If the user isn't logged in then just let the User api forward them to Google's login page and redirect them back to your site once they've logged in. Am I right or am I missing something here?
Jeff On Tue, Feb 1, 2011 at 4:51 PM, Sandeep Arneja <[email protected]> wrote: > I am in favor of google auth for all the reasons you mentioned. It > makes things easier, more reliable and cheaper for me. My only concern > is that most of my new users feel skeptical at first glance when > providing their google credentials during the sign up process. During > my demos 90% of my users have said "I hope u won't steal my google > password". Now both you and I know that google doesn't share the users > private data let alone the password. The log in page even tells that > to all users but this is not apparent and is not the users first > impression. Google analytics shows me that this is huring my sign ups. > I am considering removing google auth but would like everyones input > before I do so. > > Thanks > Sandeep > > On Feb 1, 9:08 am, Jeff Schwartz <[email protected]> wrote: > > Hi all, > > > > I hope you don't mind me cross posting this to both the gwt and app > engine > > groups since I'd really like to get the opinions of users on both > platforms. > > > > I'm in the middle of developing a gwt application on app engine. The > > application's security requirements are that non members, meaning those > that > > haven't registered, are restricted to viewing only the application's > public > > 'page'. > > > > What I developed for authentication is home grown using my own login > form, > > client side cookies and a User entity with password and email address > stored > > in the application's data store. While my home grown implementation works > > perfectly I am not comfortable with the security implications of cookies > and > > passing raw passwords to the server to authenticate my users. I also can > not > > use SSL at this time as financial constraints unfortunately prohibit any > > expenditures on this project. > > > > As I place my users' privacy and security above all else I am therefore > > looking to implement a better solution; one that would if possible > eliminate > > my responsibility altogether of having to store cookies and passwords and > > transport them via HTTP when authenticating. > > > > One alternative that I am currently considering is using Google Accounts > to > > authenticate my users along with my own User entity that would store the > > additional information users must provide when registering to use the > > services of my application. My User entity (not to be confused with the > User > > object provided by the User API) would store the user's Google Account ID > > and would provide the ability to determine if a user is registered simply > by > > querying for their Google Accounts ID in my datastore. It would eliminate > > having to store client side cookies and sending raw passwords to the > server. > > So far it seems like a win-win proposition as it appears to satisfy all > my > > use cases. > > > > For those who already use Google Accounts for user authentication are you > > happy with the service? How about the services' availability track record > > and does it provide the security you had hoped it would? > > > > For those using Google Accounts along with GWT have you found any > specific > > issues related to using it with GWT (I am using RPC BTW) that you can > > relate? > > > > I am looking forward to reading your feedback and responses and thanks in > > advance. > > > > Jeff > > > > -- > > *Jeff Schwartz* > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- *Jeff Schwartz* -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
