Securing RESTful API in Google App Engine

Question

I'm trying to figure out how to implement the following authentication flow:

1. The user accesses a web application (most likely to be written using Ruby on Rails) and authenticates (e.g., username/password).
2. The client consumes data via AJAX provided by a RESTful API built on Google App Engine (Python, webapp2).

Requirements:

1. Only users authenticated in the web application (Rails) should be able to access the API hosted on App Engine.
2. Users can have different roles in the web application (Rails), and the API (App Engine) needs to know what roles are associated to the given user to restrict access to certain data.
3. The client should be able to call the API (App Engine) directly via AJAX, without routing all requests through the web application (Rails).

I'm looking for suggestions on how to implement such workflow. Should I use OAuth (or OAuth2) for accessing the API? Should the OAuth provider live on App Engine and the web application (Rails) ask the API for a token on behalf of the user? If so, what is the best way to allow only the web application (Rails) to request OAuth tokens? Or should I consider a completely different strategy?

Any suggestions are greatly appreciated. I'm also looking for suggestions of libraries to implement OAuth in the context above.

Answer 1

My solution to this same problem was to write my own three-way authentication (like OAuth):

1. After the user is authenticated on the RoR server, it responds with a temporary token. This token is stored on the RoR server, is good for 60 seconds, and contains the user's roles.
2. The browser sends this token (using AJAX) to the webapp2 server. It's like logging in on that server using just the token.
3. The webapp2 server forwards the token on to the RoR server to make sure it is valid.
4. The RoR server makes sure the token hasn't expired and immediately deletes the token to prevent duplicate requests. If the token is valid, the RoR server responds with the user's roles.
5. If the response from the RoR server is good, the webapp2 server responds to the browser's AJAX call (in step 2) with a cookie indicating that this user is now logged in. The session should contain the user's roles.
6. Subsequent requests to the webapp2 server will include the cookie so that server can respond according to the user's roles.

Answer 2

I suggest you use caution if you are considering implementing an API built on the Google App Engine using OAuth for your security layer. I am currently involved in a project that is struggling to solve exactly this problem. The OAuth layer over the GAE is still new and considered by Google to be "experimental". Google's documentation is minimal at this point. What there is begins here. I wish you the best if you try to proceed, and I will do my best to offer help if you do.