AppIdentityService for appengine 2 appengine authentication

Question

i am confused with the new mechanism to provide appengine server 2 server authentication.

i have 2 apps. App1 and App2. App1 interaction with App2 thru a secure restful interface.

App2 interface is secured in the web.xml with the admin role.

<security-constraint>
<web-resource-collection>
<url-pattern>/V3/publish/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

i add the App1 application identity to App2 admin list.

then App1 simply calls the interface using the servers application identity. according the link below the application identity API should help me here.

https://developers.google.com/appengine/docs/java/appidentity/

It seem this works just for "google API" apps and not other systems (ie.user appengine apps).

Q1. Can i used the AppIdentityService to call a another appengine app in a secure manner, using the auth_contraint role?

any help is appreciated.

-lp

Answer 1

Perhaps the 'X-Appengine-Inbound-Appid' is enough for you. It is set in App Engine to App Engine requests and can not be set in external requests.

We use something like this in Python:

app_id = self.request.headers.get('X-Appengine-Inbound-Appid', None)
if app_id not in {'some', 'other'}:
    logging.warn(u'Callback from strange caller: %s', app_id)
    ....
else:
    ....

Answer 2

You can't add an application identity to another application admin list. (the email you invite must accept the invitation).

You can use the AppIdentityService to use public/private key of the application to sign content (managed by Google including keys rotation), see Asserting identity to other systems and also some sample code: Google App Engine Security Module API and JWT support