Google AppEngine ClientId and Client Secrets

Question

I am writing an travel itinerary app engine application which will interact with the calendars of my users. In order to manage access to my user's calendar I intend to use OAuth 2.0. I looked online for various code examples and the closest to what I am trying to acheive is (http://code.google.com/p/google-api-java-client/source/browse/calendar-appengine-sample/src/main/java/com/google/api/services/samples/calendar/appengine/server/?repo=samples). I have the following questions

1) I find that the server needs access to the application's client id and client secrets. Most of the sample code I have seen so far loads this from a local file. Does AppEngine give some API which will enable me to retrieve the client id and client secret without me having to worry about storing it ?

2) If I have to store the client secret in a secure fashion what are my options ?

3) What is the best way to store a user's access token and refresh token ?

Answer 1

1. It almost never changes, so hardcode it. It's only really loaded from a file in the sample programs so that you can get the samples running without touching the code.
2. See 1.
3. You can use the Google provided Credential class which uses a dedicated kind. Or, given that they are simply strings, you can store them as part of the User kind which your app almost certainly has to track your registered users.

As a tip, separate writing your oauth code from writing your calendar code. I would start by writing an app that only authorises, stores the refresh token, and refreshes the access token. You can test your access token using curl. Once you have that all working, then add your Calendar functionality as phase 2.