All geek questions in one place

What are the different options for social authentication in Appengine - how are they compared?

[This question is intended as a means to both fix my conclusions and check their sanity - I will put my answer to the package and see what other answers and comments will appear.]

I spent a bit of time trying to figure out the different social authentication options for (python) Appengine. I was particularly confused about how the authentication mechanisms provided by Google can interact with other social authentication mechanisms. The picture is complicated by the fact that Google has good integration with third-party OpenID providers, but some of the largest social networks are not OpenID providers (for example, facebook, twitter). [Note that facebook can use OpenID as a relay side, but not as a provider].

The question is: what are the different options for social authentication in Appengine and what are the pros and cons of each?

+6
source share
1 answer

In my research on this subject, I found that there are essentially three options:

  • Use Google authentication mechanisms (including their combined login via OpenID)

    • Pros:
      • You can easily check who is logging in through the Users service provided with Appengine.
      • Google handles security, so you can be sure that it is well tested.
    • Minuses:
      • This can only be integrated with third-party OpenID providers; it cannot integrate with facebook / twitter at this time

  • Use social authentication mechanisms provided by a well-known framework such as tipfy or django

    • Pros:
      • They can integrate with all major social authentication services.
      • They are quite widely used, so they are likely to be fairly reliable and well-tested.
    • Minuses:
      • Although they are probably well tested, they may not be supported.
      • They come as part of a larger framework that you may have to be content with before deploying your application.

  • Your own social authentication

    • Pros:
      • You can mix all OpenID flavors, and OAuth tickles your fantasies
    • Minuses:
      • You will most likely find security holes.
      • If you have little experience with these technologies, this is likely to be the most time consuming.

Further notes:

  • It is likely that everyone will switch to OpenID in the end, and then Google standard authentication should work everywhere.
  • The first parameter allows you to point your finger at Google if there is a problem with their authentication; The second option imposes a great responsibility on you, but still allows you to say that you are using a widely used solution if there is a problem, and the final version puts all the responsibility before you.
  • Most of the questions are related to session management - in case 1, Google performs all session management, and this is quite invisible to the developer; in case 2, session management is handled by the framework, and in the third case, you must develop your own.
+11
source

Source: https://habr.com/ru/post/898591/

More articles:


All Articles