On Mon, Jan 6, 2014 at 4:39 PM, Dan <[email protected]> wrote: > I have an App Engine server that provides a REST API and would like to > protect it with OAuth 2.0. Applications that use my REST API will be run on > headless servers and not have any user input i.e. no web browser redirects > for users to enter their username and password. > Twitter does more or less what I want with its Application Only > Auth<https://dev.twitter.com/docs/auth/application-only-auth> which > uses the Client Credentials > Grant<http://tools.ietf.org/html/rfc6749#section-4.4> approach > of OAuth 2.0. > Does the App Engine OAuth > service<https://developers.google.com/appengine/docs/python/oauth/> allow > me to do this? If so how? (I find the documentation confusing and can't get > a 2-legged approach to work in any case.) Otherwise where should I look for > an alternative as I don't want to reinvent the wheel especially with > security related parts of my app. > >
At some point a user needs to get involved: even with Twitter Application-Only Auth an application must provide a consumer key and secret which is presumably supplied by a user one way or another. There are a couple of options here: 1. Your API can implement its own OAuth service. There are libraries available to simplify this: http://oauth.net/code/ 2. You can use Google Accounts OAuth for Devices flow, outlined here: https://developers.google.com/accounts/docs/OAuth2ForDevices . During setup the client applications will need to have user interaction, but not too much; once the authorization occurs the access and refresh tokens can be used indefinitely. 3. Use the App Engine OAuth service, but work out a way to have a user configure the client application initially, then run headless for production. ----------------- -Vinny P Technology & Media Advisor Chicago, IL App Engine Code Samples: http://www.learntogoogleit.com -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
