Migrate users from Google App Engine to Google OpenID

Question

I migrated away from Google App Engine several months ago. But I am still relying on it for authentication, because my users are identified by their user_id attribute on GAE.

For this purpose my (now external) applications redirect the user to a Google App Engine application using a encrypted, signed and timestamped login request. The GAE application then performs the login using GAE's "Users" service. After successfully being logged-in on GAE, the user is again redirected using a encrypted, signed and timestamped response to my external application. The rudimentary implementation can be found here and here. As you can see, this is very basic and relies on heavy crypto that leads to bad performance.

My external applications, in this case Django applications, are storing the user_id inside the password field of the user table. Besides the user_id, I only get the email address from GAE to store username and email in Django.

Now I would like to remove the dependency on the GAE service. The first approach which comes to mind would probably be to send an email to each user requesting him to set a new password and then perform my own authentication using Django.

I would prefer a solution which relies on Google's OpenID service so that there is actually no difference for the user. This is also preferred, because I need to send the user to Google anyway to get AuthSub tokens for the Google Calendar API.

The problem is that I couldn't find a way to get the GAE user_id attribute of a given Google Account without using GAE. OpenID and all the other authentication protocols use different identifiers.

So now the question is: Does Google provide any API I could use for this purpose which I haven't seen yet? Are there any other possible solutions or ideas on how to migrate the user accounts?

Thanks in advance!

Answer 1

Why don't you try a hybrid approach:

1. Switch to OpenId
2. If your application already knows the userId, you are done
3. If not ask the user, if he has an account to migrate
4. If yes, log him in with the old mechansim and ttransfer the acount
5. If not create a new account

Answer 2

The best way to do this is to show users a 'migration' interstital, which redirects them to the Google OpenID provider and prompts them to sign in there. Once they're signed in at both locations, you can match the two accounts, and let them log in over OpenID in future.

Answer 3

Google has a unique identifier that's returned as a parameter with a successful OpenID authentication request - *openid.claimed_id* . If you switch to using OpenID you could essentially exchange the user_id for this parameter the first time a user logs in using the new method without the user noticing anything different about their login experience.

Documentation for the authentication process is outlined here. I'd recommend using the hybrid OpenID+OAuth approach so that you can associate your request token with a given id, then, upon return, verify that the openid.claimed_id matches your original request token.

Answer 4

AFAIK, the only common identifier between Google Accounts and Google OpenID is the email.

1. Get email when user logs into Google Account via your current gae setup. Use User.email(). Save this email along with the user data.

2. When you have emails of all (most) users, switch to Google OpenID. When user logs in, get the email address and find this user in the database.