views:

183

answers:

1

I am still trying to wrap my mind around the workings of OAuth/OpenID, as such...

I am developing an "installed app" that will run on computers and iPhone. A given user may install the client app on multiple machines, and all of the user's installed clients will synchronize via a centralized Google App Engine service. The GAE service will also allow multiple users to collaborate on the data produced by the installed app, via a web app.

I don't want to roll my own authentication system, for my own ease and also to spare users from yet another set of credentials. As such I was initially thinking of using Google's clientlogin service, but then I thought OAuth/OpenID would be better because it would allow users to use not just Google credentials but also credentials from the other OpenID providers. Also, avoiding asking the user for a login/password seems more secure.

My question is... I'm not sure if this is the right use case for OAuth/OpenID. I am not accessing data from any other service, I am just looking for an authentication solution. Also, how difficult is this scenario to accomplish using Google App Engine (java)?

Any advice and/or starting points would be much appreciated!

+3  A: 

My question is... I'm not sure if this is the right use case for OAuth/OpenID.

The "use case" for oAuth is: App X requires access to App Y. App X "asks" permission for access to App Y through your credentials. App X received an "authorized access token".

In your case, assuming I understood correctly, you could have the App on GAE implement an OpenID consumer and have your mobile app access the GAE app through oAuth.

In other words, your approach seems like a sensible one.

jldupont
So in OAuth terminology, my installed app should be treated as the consumer, and my GAE service as the OAuth service provider. And to leverage OpenID, the GAE service would in turn use OpenID for authentication. I think I'm starting to get it. I'm starting to see that the OAuth app-browser-app pattern will be all sorts of tricky on a mobile device.
tempy
@Tempy: I believe this is accurate.
jldupont