The aim of PyAMF is to provide AMF en/decoding support for Python. In helping to achieve this and actually make the library useful to people we added AMF0/3 remoting support via the *Gateway classes. RemoteObject can use many types of 'channels' to accomplish its goals - HTTP, RTMP, etc. of which PyAMF only supports HTTP (and polling at that).
RemoteObject authentication within an HTTP context is achieved via session cookies. PyAMF supports many popular web frameworks (Twisted, Django, AppEngine, web2py, WSGI) each of these providing different interfaces for using sessions. We decided early on that this would be too much to support and that in any case it really is beyond the scope of what PyAMF is meant to achieve.
PyAMF is pretty much done now (as much as any software project can be) thanks to its narrow scope. We have a few more milestones to achieve, better performance and py3k support being the main goals.
Now for some good news. AmFast already supports Flex Messaging (including RemoteObject) in pretty much whatever flavour you want, including (as I understand it) authentication out of the box. It also supports AppEngine but using PyAMF for the AMF encoding/decoding.
Plasma DS is a new fledgling project aimed at providing a full implementation of Flex Messaging for Python, including all the (sensible) features of LiveCycle Data Services (think of BlazeDS with RTMP support and data synchronisation and conflict resolution. Authors of both projects are committed to this new venture (whenever we find the time :-)) but beware that the project is very much in its infancy - no releases yet.
With all that said, back to your question :)
I would suggest taking a look at AmFast and see if that satisfies your needs. If not, then I would implement the authentication methods yourself by creating a login service method and updating the session cookie accordingly. For HTTP session support, I would suggest looking at gae-sessions for session support with AppEngine (assuming you are not using Django as part of your webapp - you don't specify)
The auth code could be a something as simple as:
from google.appengine.ext import db
from gaesessions import get_current_session
class User(db.Model):
username = db.StringProperty()
password = db.StringProperty()
def login(username, password):
q = User.all()
q.filter('username =', username)
q.filter('password =', password)
user = q.get()
if not user:
return False
session = get_current_session()
session['user'] = str(user.key())
return True
Disclaimer: Do not use this code in production, there are many security holes and is meant as a guide only.
Of course, Google provides its own auth mechanisms and you could use them instead (depends if you want the lock-in).