views:

20

answers:

1

I am writing an application in Google appengine python. Due to the limited support of the appengine environment I have to implement some of the functionality on external dedicated servers. Is there an authentication mechanism available that will preserve login information over the external servers and appengine.

+1  A: 

The system you want should probably work something like this:

  1. When a user visits the 'other' server with no session cookie set, the server redirects the user to a special URL on the App Engine app - let's use /authenticate - with a 'next' query string parameter that provides the URL of the next stage (described in #3).
  2. When App Engine receives a request to /authenticate, it checks if the user is signed in there. If they're not, it prompts them to sign in. Then, it generates a token for the user's session, and signs it with an HMAC, using a secret shared by both servers, and redirects the user to the URL provided in step 1, with the HMAC included in the query string.
  3. When the 'other' server receives a request to its special URL (specified in step #1), it validates that the HMAC matches, using the shared secret, and if it does, uses its own session support to set a cookie on the user's browser under its domain, to keep track of the user from then on.
  4. If the 'other' server needs to obtain more information about the user, it can use an API it shares with the App Engine server to request, out-of-band, more information about the user using the token it was given and the shared secret.

This is very similar to the procedure OAuth uses, but entirely noninteractive for the user. It's also the procedure that SSO systems such as Google Accounts use to 'transfer' sessions to other trusted parties.

Nick Johnson